From a919cc191a207373c7aa854dfe4949f9f0fe9daa Mon Sep 17 00:00:00 2001 From: charlesporter Date: Sun, 13 Dec 2015 21:04:53 -0800 Subject: [PATCH] replace opensoc-steaming version 0.4BETA with 0.6BETA 8e7a6b4ad9febbc4ea47ba7810c42cc94d4dee37 --- opensoc-streaming/.gitignore | 15 - opensoc-streaming/.travis.yml | 14 - opensoc-streaming/OpenSOC-Alerts/pom.xml | 61 +- opensoc-streaming/OpenSOC-Alerts/readme.md | 104 + .../com/opensoc/alerts/AbstractAlertBolt.java | 13 +- .../opensoc/alerts/TelemetryAlertsBolt.java | 31 +- .../alerts/adapters/AbstractAlertAdapter.java | 8 +- .../alerts/adapters/AllAlertAdapter.java | 249 +- .../alerts/adapters/CIFAlertsAdapter.java | 311 + .../HbaseWhiteAndBlacklistAdapter.java | 130 +- .../alerts/adapters/KeywordsAlertAdapter.java | 274 + .../opensoc/alerts/adapters/RangeChecker.java | 23 + .../alerts/adapters/ThreatAlertsAdapter.java | 311 + .../src/main/resources/hbase-site.xml | 221 +- .../alerts/adapters/AllAlertAdapterTest.java | 166 + .../resources/AllAlertAdapterTest.properties | 1 + .../TestSchemas/AllAlertAdapterSchema.json | 42 + .../config/AllAlertAdapterTest.config | 8 + opensoc-streaming/OpenSOC-Common/.gitignore | 1 + opensoc-streaming/OpenSOC-Common/pom.xml | 48 +- .../configuration/ConfigurationManager.java | 119 + .../interfaces/ThreatIntelSource.java | 11 + .../java/com/opensoc/hbase/HBaseBolt.java | 14 +- .../helpers/services/PcapServiceCli.java | 110 + .../topology}/Cli.java | 2 +- .../topology}/ErrorGenerator.java | 18 +- .../topology}/SettingsLoader.java | 35 +- .../index/interfaces/IndexAdapter.java | 6 +- .../com/opensoc/ise/parser/ISEParser.java | 45 +- .../ise/parser/ISEParserTokenManager.java | 3 - .../json/serialization/JSONEncoderHelper.java | 2 + .../serialization/JSONKafkaSerializer.java | 18 +- .../parser/interfaces/MessageParser.java | 1 + .../java/com/opensoc/pcap/PacketInfo.java | 73 +- .../opensoc/pcap/PcapByteOutputStream.java | 288 + .../java/com/opensoc/pcap/PcapMerger.java | 245 + .../opensoc/pcap/PcapPacketComparator.java | 22 + .../java/com/opensoc/pcap/PcapParser.java | 183 + .../main/java/com/opensoc/pcap/PcapUtils.java | 27 + .../src/main/java/com/opensoc/pcap/asdf.java | 5 - .../com/opensoc/test/AbstractConfigTest.java | 299 + .../com/opensoc/test/AbstractSchemaTest.java | 198 + .../com/opensoc/test/AbstractTestContext.java | 2 +- .../java/com/opensoc/test/ISEParserTest.java | 27 - .../tldextractor/BasicTldExtractor.java | 137 + .../test/BasicTldExtractorTest.java | 125 + .../config/BasicTldExtractorTest.config | 2 + .../test/resources/effective_tld_names.dat | 9719 +++++++++++++++++ opensoc-streaming/OpenSOC-DataLoads/README.md | 50 + .../dependency-reduced-pom.xml | 145 - opensoc-streaming/OpenSOC-DataLoads/pom.xml | 22 +- .../opensoc/dataloads/cif/HBaseTableLoad.java | 122 - .../opensoc/dataloads/ThreatIntelLoader.java | 174 + .../opensoc/dataloads/cif/HBaseTableLoad.java | 238 + .../src/{ => main/resources}/hbase-site.xml | 0 .../OpenSOC-DataServices/README.md | 1 + .../OpenSOC-DataServices/pom.xml | 232 +- .../alerts/server/AlertsProcessingServer.java | 1 - .../opensoc/alerts/server/AlertsSearcher.java | 2 - .../dataservices/kafkaclient/KafkaClient.java | 10 +- .../kafkaclient/KafkaConsumer.java | 8 +- .../modules/guice/DefaultServletModule.java | 1 - .../modules/guice/RestEasyModule.java | 5 +- .../modules/guice/ServiceModule.java | 1 - .../dataservices/rest/RestServices.java | 2 - .../dataservices/servlet/LogoutServlet.java | 8 - .../websocket/KafkaMessageSenderServlet.java | 1 - .../websocket/KafkaMessageSenderSocket.java | 2 - .../websocket/KafkaWebSocketCreator.java | 1 - .../pcapservice}/CellTimestampComparator.java | 8 +- .../pcapservice}/ConfigurationUtil.java | 6 +- .../pcapservice}/HBaseConfigConstants.java | 2 +- .../pcapservice}/HBaseConfigurationUtil.java | 2 +- .../com/opensoc/pcapservice}/IPcapGetter.java | 2 +- .../opensoc/pcapservice}/IPcapScanner.java | 2 +- .../pcapservice}/PcapGetterHBaseImpl.java | 29 +- .../com/opensoc/pcapservice}/PcapHelper.java | 2 +- .../pcapservice/PcapReceiverImplRestEasy.java | 256 + .../pcapservice}/PcapScannerHBaseImpl.java | 8 +- .../opensoc/pcapservice}/PcapsResponse.java | 6 +- .../opensoc/pcapservice}/RestTestingUtil.java | 2 +- .../pcapservice/rest/JettyServiceRunner.java | 26 + .../opensoc/pcapservice/rest/PcapService.java | 34 + .../ElasticSearch_KafkaAlertsService.java | 1 - .../resources/config-definition-hbase.xml | 0 .../resources/hbase-config-default.properties | 2 +- .../src/main/resources/hbase-site.xml | 127 + .../CellTimestampComparatorTest.java | 10 +- .../OpenSOC-EnrichmentAdapters/pom.xml | 138 +- .../OpenSOC-EnrichmentAdapters/readme.md | 125 + .../adapters/geo/GeoMysqlAdapter.java | 5 +- .../host/HostFromPropertiesFileAdapter.java | 4 +- .../threat/AbstractThreatAdapter.java | 36 + .../adapters/threat/ThreatHbaseAdapter.java | 129 + .../adapters/whois/WhoisHBaseAdapter.java | 23 +- .../common/AbstractEnrichmentBolt.java | 16 +- .../common/GenericEnrichmentBolt.java | 21 +- .../src/main/resources/hbase-site.xml | 221 +- .../adapters/cif/CIFHbaseAdapterTest.java | 27 + .../adapters/geo/GeoMysqlAdapterTest.java | 46 +- .../adapters/whois/WhoisHBaseAdapterTest.java | 31 +- .../resources/CIFHbaseAdapterTest.properties | 8 +- .../resources/GeoMysqlAdapterTest.properties | 8 +- .../resources/TestSchemas/CIFHbaseSchema.json | 0 .../resources/TestSchemas/GeoMySqlSchema.json | 42 + .../TestSchemas/WhoisHbaseSchema.json | 0 .../WhoisHbaseAdapterTest.properties | 8 +- opensoc-streaming/OpenSOC-Indexing/pom.xml | 16 +- opensoc-streaming/OpenSOC-Indexing/readme.md | 61 + .../indexing/TelemetryIndexingBolt.java | 26 +- .../adapters/AbstractIndexAdapter.java | 2 +- .../indexing/adapters/ESBaseBulkAdapter.java | 12 +- .../adapters/ESBulkRotatingAdapter.java | 18 +- .../adapters/ESTimedRotatingAdapter.java | 49 +- .../OpenSOC-MessageParsers/pom.xml | 30 +- .../OpenSOC-MessageParsers/readme.md | 82 + .../opensoc/parsing/AbstractParserBolt.java | 33 +- .../com/opensoc/parsing/PcapParserBolt.java | 83 +- .../opensoc/parsing/TelemetryParserBolt.java | 9 +- .../parsing/parsers/AbstractParser.java | 8 +- .../parsing/parsers/BasicBroParser.java | 101 +- .../parsing/parsers/BasicFireEyeParser.java | 234 + .../parsing/parsers/BasicIseParser.java | 2 + .../parsing/parsers/BasicLancopeParser.java | 2 + .../parsing/parsers/BasicLogstashParser.java | 65 + .../parsers/BasicPaloAltoFirewallParser.java | 184 + .../parsers/BasicSourcefireParser.java | 25 +- .../parsing/parsers/GrokAsaParser.java | 269 + .../parsing/parsers/GrokSourcefireParser.java | 2 + .../opensoc/parsing/parsers/GrokUtils.java | 26 + .../parsing/parsers/OpenSOCConverter.java | 183 + .../parsing/parsers/OpenSOCGarbage.java | 130 + .../opensoc/parsing/parsers/OpenSOCGrok.java | 367 + .../opensoc/parsing/parsers/OpenSOCMatch.java | 280 + .../opensoc/parsing/parsers/ParserUtils.java | 23 + .../src/main/resources/patterns/asa | 176 + .../src/main/resources/patterns/fireeye | 9 + .../{patters => patterns}/sourcefire | 0 .../parsing/test/BasicBroParserTest.java | 103 + .../parsing/test/BasicFireEyeParserTest.java | 141 + .../parsing/test/BasicIseParserTest.java | 149 +- .../parsing/test/BasicLancopeParserTest.java | 144 +- .../test/BasicPaloAltoFirewallParserTest.java | 136 + .../test/BasicSourcefireParserTest.java | 103 +- .../opensoc/parsing/test/BroParserTest.java | 120 +- .../parsing/test/GrokAsaParserTest.java | 149 + .../src/test/resources/BroParserTest.log | 3 + .../src/test/resources/FireEyeParserTest.log | 8 + .../src/test/resources/GrokParserTest.log | 12 + .../{IseSample.log => IseParserTest.log} | 0 .../src/test/resources/LancopeParserTest.log | 1 + .../resources/PaloAltoFirewallParserTest.log | 2 + .../src/test/resources/SourceFireTest.log | 3 + .../test/resources/TestSchemas/BroSchema.json | 28 + .../resources/TestSchemas/LancopeSchema.json | 14 +- .../TestSchemas/SourcefireSchema.json | 20 +- .../config/BasicFireEyeParserTest.config | 2 + .../config/BasicIseParserTest.config | 2 + .../config/BasicLancopeParserTest.config | 2 + .../BasicPaloAltoFirewallParserTest.config | 2 + .../config/BasicSourcefireParserTest.config | 2 + .../resources/config/BroParserTest.config | 2 + .../resources/config/GrokAsaParserTest.config | 2 + .../test/resources/effective_tld_names.dat | 9719 +++++++++++++++++ .../OpenSOC-PCAP_Reconstruction/hbase/.pmd | 1262 --- .../hbase/dependency-reduced-pom.xml | 230 - .../OpenSOC-PCAP_Reconstruction/hbase/pom.xml | 137 - .../opensoc/hbase/client/IPcapReceiver.java | 109 - .../hbase/client/PcapReceiverImpl.java | 212 - .../hbase/client/PcapReceiverImplTest.java | 232 - .../OpenSOC-PCAP_Reconstruction/service/.pmd | 1190 -- .../service/README.txt | 10 - .../service/pom.xml | 52 - .../src/main/resources/log4j.properties | 10 - .../src/main/webapp/META-INF/MANIFEST.MF | 3 - .../src/main/webapp/WEB-INF/ipcap-config.xml | 7 - .../service/src/main/webapp/WEB-INF/web.xml | 17 - .../hbase => OpenSOC-Pcap_Service}/README.txt | 0 .../OpenSOC-Pcap_Service/pom.xml | 267 + .../pom.xml.versionsBackup | 268 + .../pcapservice/CellTimestampComparator.java | 23 + .../pcapservice/ConfigurationUtil.java | 269 + .../pcapservice/HBaseConfigConstants.java | 40 + .../pcapservice/HBaseConfigurationUtil.java | 165 + .../com/opensoc/pcapservice/IPcapGetter.java | 88 + .../com/opensoc/pcapservice/IPcapScanner.java | 49 + .../pcapservice/PcapGetterHBaseImpl.java | 809 ++ .../com/opensoc/pcapservice/PcapHelper.java | 205 + .../pcapservice/PcapReceiverImplRestEasy.java | 250 + .../pcapservice/PcapScannerHBaseImpl.java | 302 + .../opensoc/pcapservice/PcapsResponse.java | 153 + .../opensoc/pcapservice/RestTestingUtil.java | 238 + .../pcapservice/rest/JettyServiceRunner.java | 26 + .../opensoc/pcapservice/rest/PcapService.java | 34 + ...nlyDeleteExpiredFilesCompactionPolicy.java | 37 + .../resources/config-definition-hbase.xml | 34 + .../resources/hbase-config-default.properties | 40 + .../src/main/resources/hbase-site.xml | 127 + .../src/main/resources/log4j.properties | 0 .../CellTimestampComparatorTest.java | 92 + .../pcapservice}/ConfigurationUtilTest.java | 6 +- .../HBaseConfigurationUtilTest.java | 4 +- .../pcapservice}/HBaseIntegrationTest.java | 2 +- .../pcapservice}/PcapGetterHBaseImplTest.java | 22 +- .../opensoc/pcapservice}/PcapHelperTest.java | 8 +- .../PcapScannerHBaseImplTest.java | 6 +- .../test/resources/hbase-config.properties | 2 +- .../src/test/resources/test-tcp-packet.pcap | Bin opensoc-streaming/OpenSOC-Topologies/pom.xml | 188 + .../OpenSOC-Topologies/readme.md | 47 + .../main/java/com/opensoc/topology/Asa.java | 40 + .../java/com/opensoc/topology/FireEye.java | 21 + .../main/java/com/opensoc/topology/Ise.java | 4 + .../java/com/opensoc/topology/Lancope.java | 5 + .../opensoc/topology/PaloAltoFirewall.java | 41 + .../main/java/com/opensoc/topology/Pcap.java | 6 + .../opensoc/topology/runner/AsaRunner.java | 94 + .../opensoc/topology/runner/BroRunner.java | 15 +- .../topology/runner/FireEyeRunner.java | 77 + .../opensoc/topology/runner/ISERunner.java | 17 +- .../topology/runner/LancopeRunner.java | 15 +- .../runner/PaloAltoFirewallRunner.java | 95 + .../opensoc/topology/runner/PcapRunner.java | 4 +- .../topology/runner/SourcefireRunner.java | 17 +- .../topology/runner/TopologyRunner.java | 205 +- .../topologies/asa/features_enabled.conf | 113 + .../topologies/asa/metrics.conf | 26 + .../topologies/asa/topology.conf | 110 + .../topologies/asa/topology_identifier.conf | 4 + .../topologies/bro/features_enabled.conf | 14 +- .../topologies/bro/topology.conf | 71 +- .../topologies/fireeye/features_enabled.conf | 113 + .../topologies/fireeye/metrics.conf | 26 + .../topologies/fireeye/topology.conf | 110 + .../fireeye/topology_identifier.conf | 4 + .../topologies/ise/features_enabled.conf | 10 +- .../topologies/ise/topology.conf | 39 +- .../topologies/lancope/features_enabled.conf | 10 +- .../topologies/lancope/topology.conf | 39 +- .../topologies/paloalto/features_enabled.conf | 113 + .../topologies/paloalto/metrics.conf | 26 + .../topologies/paloalto/topology.conf | 113 + .../paloalto/topology_identifier.conf | 4 + .../topologies/pcap/features_enabled.conf | 10 +- .../topologies/pcap/topology.conf | 64 +- .../sourcefire/features_enabled.conf | 10 +- .../topologies/sourcefire/topology.conf | 48 +- .../src/main/resources/SampleInput/AsaOutput | 100 + .../SampleInput/FireeyeExampleOutput | 90 + .../resources/SampleInput/ISESampleOutput | 314 +- .../main/resources/SampleInput/PaloaltoOutput | 100 + .../TopologyConfigs_old/lancope.conf | 16 +- .../main/resources/effective_tld_names.dat | 9719 +++++++++++++++++ .../src/main/resources/hbase-site.xml | 131 + opensoc-streaming/pom.xml | 15 +- opensoc-streaming/readme.md | 136 +- 256 files changed, 43963 insertions(+), 5245 deletions(-) delete mode 100644 opensoc-streaming/.gitignore delete mode 100644 opensoc-streaming/.travis.yml create mode 100644 opensoc-streaming/OpenSOC-Alerts/readme.md create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/CIFAlertsAdapter.java create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/KeywordsAlertAdapter.java create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/RangeChecker.java create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/ThreatAlertsAdapter.java create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/test/java/com/opensoc/alerts/adapters/AllAlertAdapterTest.java create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/test/resources/AllAlertAdapterTest.properties create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/test/resources/TestSchemas/AllAlertAdapterSchema.json create mode 100644 opensoc-streaming/OpenSOC-Alerts/src/test/resources/config/AllAlertAdapterTest.config create mode 100644 opensoc-streaming/OpenSOC-Common/.gitignore create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/configuration/ConfigurationManager.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/dataloads/interfaces/ThreatIntelSource.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/services/PcapServiceCli.java rename opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/{topologyhelpers => helpers/topology}/Cli.java (99%) rename opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/{topologyhelpers => helpers/topology}/ErrorGenerator.java (52%) rename opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/{topologyhelpers => helpers/topology}/SettingsLoader.java (80%) create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapByteOutputStream.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapMerger.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapPacketComparator.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapParser.java delete mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/asdf.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractConfigTest.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractSchemaTest.java delete mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/ISEParserTest.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/BasicTldExtractor.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/test/BasicTldExtractorTest.java create mode 100644 opensoc-streaming/OpenSOC-Common/src/test/resources/config/BasicTldExtractorTest.config create mode 100644 opensoc-streaming/OpenSOC-Common/src/test/resources/effective_tld_names.dat create mode 100644 opensoc-streaming/OpenSOC-DataLoads/README.md delete mode 100644 opensoc-streaming/OpenSOC-DataLoads/dependency-reduced-pom.xml delete mode 100644 opensoc-streaming/OpenSOC-DataLoads/src/com/opensoc/dataloads/cif/HBaseTableLoad.java create mode 100644 opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/ThreatIntelLoader.java create mode 100644 opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/cif/HBaseTableLoad.java rename opensoc-streaming/OpenSOC-DataLoads/src/{ => main/resources}/hbase-site.xml (100%) create mode 100644 opensoc-streaming/OpenSOC-DataServices/README.md rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/CellTimestampComparator.java (75%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/ConfigurationUtil.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/HBaseConfigConstants.java (96%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/HBaseConfigurationUtil.java (99%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/IPcapGetter.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/IPcapScanner.java (97%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/PcapGetterHBaseImpl.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/PcapHelper.java (99%) create mode 100644 opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/PcapScannerHBaseImpl.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/PcapsResponse.java (97%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice}/RestTestingUtil.java (99%) create mode 100644 opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java create mode 100644 opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/PcapService.java rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-DataServices}/src/main/resources/config-definition-hbase.xml (100%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-DataServices}/src/main/resources/hbase-config-default.properties (97%) create mode 100644 opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-site.xml rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-DataServices/src/test/java/com/opensoc/pcapservice}/CellTimestampComparatorTest.java (85%) create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/readme.md create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/AbstractThreatAdapter.java create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/ThreatHbaseAdapter.java create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/CIFHbaseSchema.json create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/GeoMySqlSchema.json create mode 100644 opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/WhoisHbaseSchema.json create mode 100644 opensoc-streaming/OpenSOC-Indexing/readme.md create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/readme.md create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicFireEyeParser.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLogstashParser.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicPaloAltoFirewallParser.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokAsaParser.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokUtils.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCConverter.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGarbage.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGrok.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCMatch.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/ParserUtils.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/asa create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/fireeye rename opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/{patters => patterns}/sourcefire (100%) create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicBroParserTest.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicFireEyeParserTest.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicPaloAltoFirewallParserTest.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/GrokAsaParserTest.java create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/BroParserTest.log create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/FireEyeParserTest.log create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/GrokParserTest.log rename opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/{IseSample.log => IseParserTest.log} (100%) create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/LancopeParserTest.log create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/PaloAltoFirewallParserTest.log create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/SourceFireTest.log create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/BroSchema.json create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicFireEyeParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicIseParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicLancopeParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicPaloAltoFirewallParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicSourcefireParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BroParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/GrokAsaParserTest.config create mode 100644 opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/effective_tld_names.dat delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/.pmd delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/dependency-reduced-pom.xml delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/pom.xml delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapReceiver.java delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapReceiverImpl.java delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapReceiverImplTest.java delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/.pmd delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/README.txt delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/pom.xml delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/resources/log4j.properties delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/META-INF/MANIFEST.MF delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/ipcap-config.xml delete mode 100644 opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/web.xml rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-Pcap_Service}/README.txt (100%) create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/pom.xml create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/pom.xml.versionsBackup create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapGetter.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapScanner.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapHelper.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapsResponse.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/PcapService.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/OnlyDeleteExpiredFilesCompactionPolicy.java create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/config-definition-hbase.xml create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-config-default.properties create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-site.xml rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-Pcap_Service}/src/main/resources/log4j.properties (100%) create mode 100644 opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/ConfigurationUtilTest.java (86%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/HBaseConfigurationUtilTest.java (90%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/HBaseIntegrationTest.java (97%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/PcapGetterHBaseImplTest.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/PcapHelperTest.java (97%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client => OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice}/PcapScannerHBaseImplTest.java (98%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-Pcap_Service}/src/test/resources/hbase-config.properties (97%) rename opensoc-streaming/{OpenSOC-PCAP_Reconstruction/hbase => OpenSOC-Pcap_Service}/src/test/resources/test-tcp-packet.pcap (100%) create mode 100644 opensoc-streaming/OpenSOC-Topologies/pom.xml create mode 100644 opensoc-streaming/OpenSOC-Topologies/readme.md create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Asa.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/FireEye.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/PaloAltoFirewall.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/AsaRunner.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/FireEyeRunner.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PaloAltoFirewallRunner.java create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/features_enabled.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/metrics.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology_identifier.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/features_enabled.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/metrics.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology_identifier.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/features_enabled.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/metrics.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology_identifier.conf create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/AsaOutput create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/FireeyeExampleOutput create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/PaloaltoOutput create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/effective_tld_names.dat create mode 100644 opensoc-streaming/OpenSOC-Topologies/src/main/resources/hbase-site.xml diff --git a/opensoc-streaming/.gitignore b/opensoc-streaming/.gitignore deleted file mode 100644 index 6f6d8118d8..0000000000 --- a/opensoc-streaming/.gitignore +++ /dev/null @@ -1,15 +0,0 @@ -*.class -target/ -copy/ - -# Package Files # -*.jar -*.war -*.ear - -# Eclipse related files -.classpath -.project -.settings/ - -OpenSOC-Topologies/pom.xml diff --git a/opensoc-streaming/.travis.yml b/opensoc-streaming/.travis.yml deleted file mode 100644 index 7c87471cad..0000000000 --- a/opensoc-streaming/.travis.yml +++ /dev/null @@ -1,14 +0,0 @@ -language: java -before_script: - mvn clean install -Dmode=local -notifications: - email: - recipients: - - spiddapa@cisco.com - - jsirota@cisco.com - on_success: always - on_failure: always - hipchat: - rooms: - secure: grhlFGHjjEIiOUa/Wt7pyB78La9WHQCQOZEsGSjaYDAObIClBtmfP0TYEIa+Sk6auNFWdRwhxCu8xGtT+G554loR+9A5iQaCGqlJGQyygHl5PwlWu0kWRFRO75zfvLMTQ+beowM/tgGnf0MBz5adjZmnGu+L0Fet3SYcQOJixe0= - diff --git a/opensoc-streaming/OpenSOC-Alerts/pom.xml b/opensoc-streaming/OpenSOC-Alerts/pom.xml index a2fcfe53be..55fb68b45c 100644 --- a/opensoc-streaming/OpenSOC-Alerts/pom.xml +++ b/opensoc-streaming/OpenSOC-Alerts/pom.xml @@ -15,19 +15,21 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-Alerts OpenSOC-Alerts Taggers for alerts + UTF-8 + UTF-8 1.4.0 com.opensoc OpenSOC-Common - ${parent.version} + ${project.parent.version} com.googlecode.json-simple @@ -39,6 +41,12 @@ storm-core ${global_storm_version} provided + + + servlet-api + javax.servlet + + org.apache.kafka @@ -69,13 +77,60 @@ commons-validator commons-validator ${commons.validator.version} + + + + commons-beanutils + + commons-beanutils + + + + + + org.apache.maven.plugins + maven-surefire-plugin + 2.18 + + + + mode + local + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.1 + + 1.7 + 1.7 + + + + org.apache.maven.plugins + maven-pmd-plugin + 3.3 + + 1.7 + + + + org.codehaus.mojo + emma-maven-plugin + 1.0-alpha-3 + true + + src/main/resources - \ No newline at end of file + diff --git a/opensoc-streaming/OpenSOC-Alerts/readme.md b/opensoc-streaming/OpenSOC-Alerts/readme.md new file mode 100644 index 0000000000..1c410a468b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/readme.md @@ -0,0 +1,104 @@ +#OpenSOC-Alerts + +##Module Description + +This module enables telemetry alerts. It splits the mssage stream into two streams. The original message is emitted on the "message" stream. The corresponding alert is emitted on the "alerts" stream. The two are tied together through the alerts UUID. + +##Message Format + +Assuming the original message (with enrichments enabled) has the following format: + +```json +{ +"message": +{"ip_src_addr": xxxx, +"ip_dst_addr": xxxx, +"ip_src_port": xxxx, +"ip_dst_port": xxxx, +"protocol": xxxx, +"timestamp": xxxx. +"original_string": xxxx, +"additional-field 1": xxxx, +}, +"enrichment" : {"geo": xxxx, "whois": xxxx, "hosts": xxxxx, "CIF": "xxxxx"} + +} +``` + +The telemetry message will be tagged with a UUID alert tag like so: + +```json +{ +"message": +{"ip_src_addr": xxxx, +"ip_dst_addr": xxxx, +"ip_src_port": xxxx, +"ip_dst_port": xxxx, +"protocol": xxxx, +"timestamp": xxxx, +"original_string": xxxx, +"additional-field 1": xxxx, +}, +"enrichment" : {"geo": xxxx, "whois": xxxx, "hosts": xxxxx, "CIF": "xxxxx"}, +"alerts": [UUID1, UUID2, UUID3, etc] + +} +``` + +The alert will be fired on the "alerts" stream and can be customized to have any format as long as it includes the required mandatory fields. The mandatory fields are: + +* timestamp (epoch): The time from the message that triggered the alert +* description: A human friendly string representation of the alert +* alert_id: The UUID generated for the alert. This uniquely identifies an alert + +There are other standard but not mandatory fields that can be leveraged by opensoc-ui and other alert consumers: + +* designated_host: The IP address that corresponds to an asset. Ex. The IP address of the company device associated with the alert. +* enrichment: A copy of the enrichment data from the message that triggered the alert +* priority: The priority of the alert. Mustb e set to one of HIGH, MED or LOW + +An example of an alert with all mandatory and standard fields would look like so: + +```json +{ +"timestamp": xxxx, +"alert_id": UUID, +"description": xxxx, +"designated_host": xxxx, +"enrichment": { "geo": xxxx, "whois": xxxx, "cif": xxxx }, +"priority": "MED" +} +``` + +##Alerts Bolt + +The bolt can be extended with a variety of alerts adapters. The ability to stack alerts is currently in beta, but is not currently advisable. We advice to only have one alerts bolt per topology. The adapters are rules-based adapters which fire alerts when rules are a match. Currently only Java adapters are provided, but there are future plans to provide Grok-Based adapters as well. + +The signature of the Alerts bolt is as follows: + +``` +TelemetryAlertsBolt alerts_bolt = new TelemetryAlertsBolt() +.withIdentifier(alerts_identifier).withMaxCacheSize(1000) +.withMaxTimeRetain(3600).withAlertsAdapter(alerts_adapter) +.withMetricConfiguration(config); +``` +Identifier - JSON key where the alert is attached +TimeRetain & MaxCacheSize - Caching parameters for the bolt +MetricConfiguration - export custom bolt metrics to graphite (if not null) +AlertsAdapter - pick the appropriate adapter for generating the alerts + +### Java Adapters + +Java adapters are designed for high volume topologies, but are not easily extensible. The adapters provided are: + +* com.opensoc.alerts.adapters.AllAlertsAdapter - will tag every single message with the static alert (appropriate for topologies like Sourcefire, etc, where every single message is an alert) +* com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter - will read white and blacklists from HBase and fire alerts if source or dest IP are not on the whitelist or if any IP is on the blacklist +* com.opensoc.alerts.adapters.CIFAlertsAdapter - will alert on messages that have results in enrichment.cif. +* com.opensoc.alerts.adpaters.KeywordsAlertAdapter - will alert on messages that contain any of a list of keywords +###Grok Adapters + +Grok alerts adapters for OpenSOC are still under devleopment + +###Stacking Alert Adapters + +The functionality to stack alerts adapters is still under development diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/AbstractAlertBolt.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/AbstractAlertBolt.java index 8dc4c9d1d3..4ea1d58e6b 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/AbstractAlertBolt.java +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/AbstractAlertBolt.java @@ -54,8 +54,8 @@ public abstract class AbstractAlertBolt extends BaseRichBolt { protected JSONObject _identifier; protected MetricReporter _reporter; - protected int _MAX_CACHE_SIZE = -1; - protected int _MAX_TIME_RETAIN = -1; + protected int _MAX_CACHE_SIZE_OBJECTS_NUM = -1; + protected int _MAX_TIME_RETAIN_MINUTES = -1; protected Counter ackCounter, emitCounter, failCounter; @@ -82,10 +82,10 @@ public final void prepare(Map conf, TopologyContext topologyContext, if (this._identifier == null) throw new IllegalStateException("Identifier must be specified"); - if (this._MAX_CACHE_SIZE == -1) - throw new IllegalStateException("MAX_CACHE_SIZE must be specified"); - if (this._MAX_TIME_RETAIN == -1) - throw new IllegalStateException("MAX_TIME_RETAIN must be specified"); + if (this._MAX_CACHE_SIZE_OBJECTS_NUM == -1) + throw new IllegalStateException("MAX_CACHE_SIZE_OBJECTS_NUM must be specified"); + if (this._MAX_TIME_RETAIN_MINUTES == -1) + throw new IllegalStateException("MAX_TIME_RETAIN_MINUTES must be specified"); try { doPrepare(conf, topologyContext, collector); @@ -95,6 +95,7 @@ public final void prepare(Map conf, TopologyContext topologyContext, } boolean success = _adapter.initialize(); + try { if (!success) diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/TelemetryAlertsBolt.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/TelemetryAlertsBolt.java index 36bd0fc8f8..7fdba595f5 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/TelemetryAlertsBolt.java +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/TelemetryAlertsBolt.java @@ -31,12 +31,11 @@ import backtype.storm.tuple.Tuple; import backtype.storm.tuple.Values; -import com.esotericsoftware.minlog.Log; import com.google.common.cache.CacheBuilder; import com.opensoc.alerts.interfaces.AlertsAdapter; +import com.opensoc.helpers.topology.ErrorGenerator; import com.opensoc.json.serialization.JSONEncoderHelper; import com.opensoc.metrics.MetricReporter; -import com.opensoc.topologyhelpers.ErrorGenerator; @SuppressWarnings("rawtypes") public class TelemetryAlertsBolt extends AbstractAlertBolt { @@ -120,24 +119,24 @@ public TelemetryAlertsBolt withMetricConfiguration(Configuration config) { } /** - * @param MAX_CACHE_SIZE + * @param MAX_CACHE_SIZE_OBJECTS_NUM * Maximum size of cache before flushing * @return Instance of this class */ - public TelemetryAlertsBolt withMaxCacheSize(int MAX_CACHE_SIZE) { - _MAX_CACHE_SIZE = MAX_CACHE_SIZE; + public TelemetryAlertsBolt withMaxCacheSize(int MAX_CACHE_SIZE_OBJECTS_NUM) { + _MAX_CACHE_SIZE_OBJECTS_NUM = MAX_CACHE_SIZE_OBJECTS_NUM; return this; } /** - * @param MAX_TIME_RETAIN + * @param MAX_TIME_RETAIN_MINUTES * Maximum time to retain cached entry before expiring * @return Instance of this class */ - public TelemetryAlertsBolt withMaxTimeRetain(int MAX_TIME_RETAIN) { - _MAX_TIME_RETAIN = MAX_TIME_RETAIN; + public TelemetryAlertsBolt withMaxTimeRetain(int MAX_TIME_RETAIN_MINUTES) { + _MAX_TIME_RETAIN_MINUTES = MAX_TIME_RETAIN_MINUTES; return this; } @@ -145,8 +144,8 @@ public TelemetryAlertsBolt withMaxTimeRetain(int MAX_TIME_RETAIN) { void doPrepare(Map conf, TopologyContext topologyContext, OutputCollector collector) throws IOException { - cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE) - .expireAfterWrite(_MAX_TIME_RETAIN, TimeUnit.MINUTES).build(); + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES).build(); LOG.info("[OpenSOC] Preparing TelemetryAlert Bolt..."); @@ -185,10 +184,10 @@ public void execute(Tuple tuple) { JSONArray uuid_list = new JSONArray(); if (alerts_list == null || alerts_list.isEmpty()) { - LOG.trace("[OpenSOC] No alerts detected in: " + System.out.println("[OpenSOC] No alerts detected in: " + original_message); _collector.ack(tuple); - _collector.emit(new Values(original_message)); + _collector.emit("message", new Values(key, original_message)); } else { for (String alert : alerts_list.keySet()) { uuid_list.add(alert); @@ -196,11 +195,11 @@ public void execute(Tuple tuple) { LOG.trace("[OpenSOC] Checking alerts cache: " + alert); if (cache.getIfPresent(alert) == null) { - LOG.trace("[OpenSOC]: Alert not found in cache: " + alert); + System.out.println("[OpenSOC]: Alert not found in cache: " + alert); JSONObject global_alert = new JSONObject(); global_alert.putAll(_identifier); - global_alert.put("triggered", alerts_list.get(alert)); + global_alert.putAll(alerts_list.get(alert)); global_alert.put("timestamp", System.currentTimeMillis()); _collector.emit("alert", new Values(global_alert)); @@ -244,11 +243,9 @@ public void execute(Tuple tuple) { * if (metricConfiguration != null) { failCounter.inc(); } */ - String error_as_string = org.apache.commons.lang.exception.ExceptionUtils - .getStackTrace(e); JSONObject error = ErrorGenerator.generateErrorMessage( - "Alerts problem: " + original_message, error_as_string); + "Alerts problem: " + original_message, e); _collector.emit("error", new Values(error)); } } diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AbstractAlertAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AbstractAlertAdapter.java index 35595a0338..1330e21882 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AbstractAlertAdapter.java +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AbstractAlertAdapter.java @@ -19,8 +19,6 @@ package com.opensoc.alerts.adapters; import java.io.Serializable; -import java.util.Set; -import java.util.TreeSet; import java.util.UUID; import java.util.concurrent.TimeUnit; @@ -62,9 +60,9 @@ private String makeKey(String ip1, String ip2, int alert_type) { return (ip1 + "-" + ip2 + "-" + alert_type); } - private void generateCache(int _MAX_CACHE_SIZE, int _MAX_TIME_RETAIN) + protected void generateCache(int _MAX_CACHE_SIZE_OBJECTS_NUM, int _MAX_TIME_RETAIN_MINUTES) { - cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE) - .expireAfterWrite(_MAX_TIME_RETAIN, TimeUnit.MINUTES).build(); + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES).build(); } } diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AllAlertAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AllAlertAdapter.java index 035a8652b9..db667e72de 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AllAlertAdapter.java +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/AllAlertAdapter.java @@ -1,6 +1,5 @@ package com.opensoc.alerts.adapters; -import java.io.IOException; import java.io.Serializable; import java.util.HashMap; import java.util.HashSet; @@ -12,7 +11,6 @@ import org.apache.commons.validator.routines.InetAddressValidator; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; -import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.HBaseAdmin; import org.apache.hadoop.hbase.client.HConnection; import org.apache.hadoop.hbase.client.HConnectionManager; @@ -23,64 +21,96 @@ import org.apache.hadoop.hbase.client.Scan; import org.apache.hadoop.hbase.util.Bytes; import org.json.simple.JSONObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - +import org.apache.log4j.Logger; import com.google.common.cache.Cache; import com.google.common.cache.CacheBuilder; import com.opensoc.alerts.interfaces.AlertsAdapter; +@SuppressWarnings("serial") public class AllAlertAdapter implements AlertsAdapter, Serializable { + HTableInterface blacklist_table; HTableInterface whitelist_table; InetAddressValidator ipvalidator = new InetAddressValidator(); String _whitelist_table_name; - // String _blacklist_table_name; + String _blacklist_table_name; String _quorum; String _port; String _topologyname; Configuration conf = null; - protected Cache cache; - - Map id_list = new HashMap(); + Cache cache; + String _topology_name; Set loaded_whitelist = new HashSet(); Set loaded_blacklist = new HashSet(); - String _topology_name; - - protected static final Logger LOG = LoggerFactory + protected static final Logger LOG = Logger .getLogger(AllAlertAdapter.class); - public AllAlertAdapter(String whitelist_table_name, - String blacklist_table_name, String quorum, String port, - int _MAX_TIME_RETAIN, int _MAX_CACHE_SIZE) { - - _whitelist_table_name = whitelist_table_name; - - _quorum = quorum; - _port = port; - - cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE) - .expireAfterWrite(_MAX_TIME_RETAIN, TimeUnit.MINUTES).build(); + public AllAlertAdapter(Map config) { + try { + if(!config.containsKey("whitelist_table_name")) + throw new Exception("Whitelist table name is missing"); + + _whitelist_table_name = config.get("whitelist_table_name"); + + if(!config.containsKey("blacklist_table_name")) + throw new Exception("Blacklist table name is missing"); + + _blacklist_table_name = config.get("blacklist_table_name"); + + if(!config.containsKey("quorum")) + throw new Exception("Quorum name is missing"); + + _quorum = config.get("quorum"); + + if(!config.containsKey("port")) + throw new Exception("port name is missing"); + + _port = config.get("port"); + if(!config.containsKey("_MAX_CACHE_SIZE_OBJECTS_NUM")) + throw new Exception("_MAX_CACHE_SIZE_OBJECTS_NUM name is missing"); + + int _MAX_CACHE_SIZE_OBJECTS_NUM = Integer.parseInt(config + .get("_MAX_CACHE_SIZE_OBJECTS_NUM")); + + if(!config.containsKey("_MAX_TIME_RETAIN_MINUTES")) + throw new Exception("_MAX_TIME_RETAIN_MINUTES name is missing"); + + int _MAX_TIME_RETAIN_MINUTES = Integer.parseInt(config + .get("_MAX_TIME_RETAIN_MINUTES")); + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES) + .build(); + } catch (Exception e) { + System.out.println("Could not initialize Alerts Adapter"); + e.printStackTrace(); + System.exit(0); + } } - + @SuppressWarnings("resource") + @Override public boolean initialize() { conf = HBaseConfiguration.create(); - conf.set("hbase.zookeeper.quorum", _quorum); - conf.set("hbase.zookeeper.property.clientPort", _port); + //conf.set("hbase.zookeeper.quorum", _quorum); + //conf.set("hbase.zookeeper.property.clientPort", _port); - LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); + LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); LOG.trace("[OpenSOC] Whitelist table name: " + _whitelist_table_name); - LOG.trace("[OpenSOC] ZK Client/port: " + conf.get("hbase.zookeeper.quorum") + " -> " + conf.get("hbase.zookeeper.property.clientPort")); + LOG.trace("[OpenSOC] Whitelist table name: " + _blacklist_table_name); + LOG.trace("[OpenSOC] ZK Client/port: " + + conf.get("hbase.zookeeper.quorum") + " -> " + + conf.get("hbase.zookeeper.property.clientPort")); try { + LOG.trace("[OpenSOC] Attempting to connect to hbase"); + HConnection connection = HConnectionManager.createConnection(conf); LOG.trace("[OpenSOC] CONNECTED TO HBASE"); @@ -90,12 +120,20 @@ public boolean initialize() { if (!hba.tableExists(_whitelist_table_name)) throw new Exception("Whitelist table doesn't exist"); + if (!hba.tableExists(_blacklist_table_name)) + throw new Exception("Blacklist table doesn't exist"); + whitelist_table = new HTable(conf, _whitelist_table_name); - LOG.trace("[OpenSOC] CONNECTED TO TABLE: "+ _whitelist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _whitelist_table_name); + blacklist_table = new HTable(conf, _blacklist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _blacklist_table_name); - Scan scan = new Scan(); + if (connection == null || whitelist_table == null + || blacklist_table == null) + throw new Exception("Unable to initialize hbase connection"); + Scan scan = new Scan(); ResultScanner rs = whitelist_table.getScanner(scan); try { @@ -106,18 +144,42 @@ public boolean initialize() { LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); e.printStackTrace(); } finally { - rs.close(); + rs.close(); // always close the ResultScanner! + hba.close(); } whitelist_table.close(); - LOG.trace("[OpenSOC] Number of entires in white list: " + loaded_whitelist.size()); + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + System.out.println("LOADED WHITELIST IS: "); - if(loaded_whitelist.size() == 0) - throw new Exception("Hbase connection is OK, but the table is empty: " + whitelist_table); + for(String str: loaded_whitelist) + System.out.println("WHITELIST: " + str); + + scan = new Scan(); + + rs = blacklist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_blacklist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + blacklist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + rs.close(); // always close the ResultScanner! + hba.close(); return true; } catch (Exception e) { - // TODO Auto-generated catch block + e.printStackTrace(); } @@ -125,99 +187,88 @@ public boolean initialize() { } - protected String generateAlertId(String source_ip, String dst_ip, - int alert_type) { + @Override + public boolean refresh() throws Exception { + // TODO Auto-generated method stub + return false; + } - String key = makeKey(source_ip, dst_ip, alert_type); + @SuppressWarnings("unchecked") + @Override + public Map alert(JSONObject raw_message) { - if (cache.getIfPresent(key) != null) - return cache.getIfPresent(key); + Map alerts = new HashMap(); + JSONObject content = (JSONObject) raw_message.get("message"); - String new_UUID = System.currentTimeMillis() + "-" + UUID.randomUUID(); + JSONObject enrichment = null; - cache.put(key, new_UUID); - key = makeKey(dst_ip, source_ip, alert_type); - cache.put(key, new_UUID); + if (raw_message.containsKey("enrichment")) + enrichment = (JSONObject) raw_message.get("enrichment"); - return new_UUID; + JSONObject alert = new JSONObject(); - } - public boolean getByKey(String metadata, HTableInterface table) { - LOG.trace("[OpenSOC] Pinging HBase For:" + metadata); + String source = "unknown"; + String dest = "unknown"; + String host = "unknown"; + if (content.containsKey("ip_src_addr")) + { + source = content.get("ip_src_addr").toString(); + + if(RangeChecker.checkRange(loaded_whitelist, source)) + host = source; + } - Get get = new Get(metadata.getBytes()); - Result rs; + if (content.containsKey("ip_dst_addr")) + { + dest = content.get("ip_dst_addr").toString(); + + if(RangeChecker.checkRange(loaded_whitelist, dest)) + host = dest; + } - try { - rs = table.get(get); + alert.put("designated_host", host); + alert.put("description", content.get("original_string").toString()); + alert.put("priority", "MED"); - if (rs.size() > 0) - return true; - else - return false; + String alert_id = generateAlertId(source, dest, 0); - } catch (IOException e) { + alert.put("alert_id", alert_id); + alerts.put(alert_id, alert); - e.printStackTrace(); - } + alert.put("enrichment", enrichment); - return false; + return alerts; } - public boolean refresh() throws Exception { + @Override + public boolean containsAlertId(String alert) { // TODO Auto-generated method stub return false; } - private String makeKey(String ip1, String ip2, int alert_type) { - return (ip1 + "-" + ip2 + "-" + alert_type); - } - - @SuppressWarnings("unchecked") - public Map alert(JSONObject raw_message) { - - Map alerts = new HashMap(); - JSONObject alert = new JSONObject(); - - JSONObject content = (JSONObject) raw_message.get("message"); - String source_ip = content.get("ip_src_addr").toString(); - String dst_ip = content.get("ip_dst_addr").toString(); + protected String generateAlertId(String source_ip, String dst_ip, + int alert_type) { - String source = null; + String key = makeKey(source_ip, dst_ip, alert_type); - if (loaded_whitelist.contains(source_ip)) - source = source_ip; - else if (loaded_whitelist.contains(dst_ip)) - source = dst_ip; - else - source = "unknown"; + if (cache.getIfPresent(key) != null) + return cache.getIfPresent(key); - alert.put("title", "Appliance alert for: " + source_ip + "->" + dst_ip); - alert.put("priority", "1"); - alert.put("type", "error"); - alert.put("designated_host", source); - alert.put("source", source_ip); - alert.put("dest", dst_ip); - alert.put("body", "Appliance alert for: " + source_ip + "->" + dst_ip); + String new_UUID = System.currentTimeMillis() + "-" + UUID.randomUUID(); - String alert_id = generateAlertId(source_ip, dst_ip, 0); + cache.put(key, new_UUID); + key = makeKey(dst_ip, source_ip, alert_type); + cache.put(key, new_UUID); - alert.put("reference_id", alert_id); - alerts.put(alert_id, alert); - - LOG.trace("[OpenSOC] Returning alert: " + alerts); + return new_UUID; - return alerts; } - - public boolean containsAlertId(String alert) { - // TODO Auto-generated method stub - return false; + private String makeKey(String ip1, String ip2, int alert_type) { + return (ip1 + "-" + ip2 + "-" + alert_type); } - } diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/CIFAlertsAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/CIFAlertsAdapter.java new file mode 100644 index 0000000000..5e54556d68 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/CIFAlertsAdapter.java @@ -0,0 +1,311 @@ +package com.opensoc.alerts.adapters; + +import java.io.Serializable; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.UUID; +import java.util.concurrent.TimeUnit; + +import org.apache.commons.validator.routines.InetAddressValidator; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.HBaseAdmin; +import org.apache.hadoop.hbase.client.HConnection; +import org.apache.hadoop.hbase.client.HConnectionManager; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.HTableInterface; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.util.Bytes; +import org.json.simple.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.opensoc.alerts.interfaces.AlertsAdapter; + +@SuppressWarnings("serial") +public class CIFAlertsAdapter implements AlertsAdapter, Serializable { + + String enrichment_tag; + + HTableInterface blacklist_table; + HTableInterface whitelist_table; + InetAddressValidator ipvalidator = new InetAddressValidator(); + String _whitelist_table_name; + String _blacklist_table_name; + String _quorum; + String _port; + String _topologyname; + Configuration conf = null; + + Cache cache; + String _topology_name; + + Set loaded_whitelist = new HashSet(); + Set loaded_blacklist = new HashSet(); + + protected static final Logger LOG = LoggerFactory + .getLogger(CIFAlertsAdapter.class); + + public CIFAlertsAdapter(Map config) { + try { + + if (!config.containsKey("whitelist_table_name")) + throw new Exception("Whitelist table name is missing"); + + _whitelist_table_name = config.get("whitelist_table_name"); + + if (!config.containsKey("blacklist_table_name")) + throw new Exception("Blacklist table name is missing"); + + _blacklist_table_name = config.get("blacklist_table_name"); + + if (!config.containsKey("quorum")) + throw new Exception("Quorum name is missing"); + + _quorum = config.get("quorum"); + + if (!config.containsKey("port")) + throw new Exception("port name is missing"); + + _port = config.get("port"); + + if (!config.containsKey("_MAX_CACHE_SIZE_OBJECTS_NUM")) + throw new Exception("_MAX_CACHE_SIZE_OBJECTS_NUM name is missing"); + + int _MAX_CACHE_SIZE_OBJECTS_NUM = Integer.parseInt(config + .get("_MAX_CACHE_SIZE_OBJECTS_NUM")); + + if (!config.containsKey("_MAX_TIME_RETAIN_MINUTES")) + throw new Exception("_MAX_TIME_RETAIN_MINUTES name is missing"); + + int _MAX_TIME_RETAIN_MINUTES = Integer.parseInt(config + .get("_MAX_TIME_RETAIN_MINUTES")); + + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES) + .build(); + + enrichment_tag = config.get("enrichment_tag"); + + } catch (Exception e) { + System.out.println("Could not initialize alerts adapter"); + e.printStackTrace(); + System.exit(0); + } + } + + @SuppressWarnings("resource") + @Override + public boolean initialize() { + + conf = HBaseConfiguration.create(); + // conf.set("hbase.zookeeper.quorum", _quorum); + // conf.set("hbase.zookeeper.property.clientPort", _port); + + LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); + LOG.trace("[OpenSOC] Whitelist table name: " + _whitelist_table_name); + LOG.trace("[OpenSOC] Whitelist table name: " + _blacklist_table_name); + LOG.trace("[OpenSOC] ZK Client/port: " + + conf.get("hbase.zookeeper.quorum") + " -> " + + conf.get("hbase.zookeeper.property.clientPort")); + + try { + + LOG.trace("[OpenSOC] Attempting to connect to hbase"); + + HConnection connection = HConnectionManager.createConnection(conf); + + LOG.trace("[OpenSOC] CONNECTED TO HBASE"); + + HBaseAdmin hba = new HBaseAdmin(conf); + + if (!hba.tableExists(_whitelist_table_name)) + throw new Exception("Whitelist table doesn't exist"); + + if (!hba.tableExists(_blacklist_table_name)) + throw new Exception("Blacklist table doesn't exist"); + + whitelist_table = new HTable(conf, _whitelist_table_name); + + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _whitelist_table_name); + blacklist_table = new HTable(conf, _blacklist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _blacklist_table_name); + + if (connection == null || whitelist_table == null + || blacklist_table == null) + throw new Exception("Unable to initialize hbase connection"); + + Scan scan = new Scan(); + + ResultScanner rs = whitelist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_whitelist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + whitelist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + scan = new Scan(); + + rs = blacklist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_blacklist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + blacklist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + rs.close(); // always close the ResultScanner! + hba.close(); + + return true; + } catch (Exception e) { + + e.printStackTrace(); + } + + return false; + + } + + @Override + public boolean refresh() throws Exception { + return true; + } + + @SuppressWarnings("unchecked") + @Override + public Map alert(JSONObject raw_message) { + + System.out.println("LOOKING FOR ENRICHMENT TAG: " + enrichment_tag); + + Map alerts = new HashMap(); + JSONObject content = (JSONObject) raw_message.get("message"); + + JSONObject enrichment = null; + + if (raw_message.containsKey("enrichment")) + enrichment = (JSONObject) raw_message.get("enrichment"); + else + return null; + + if (enrichment.containsKey(enrichment_tag)) { + + System.out.println("FOUND TAG: " + enrichment_tag); + + JSONObject cif = (JSONObject) enrichment.get(enrichment_tag); + + int cnt = 0; + Object enriched_key = null; + + for (Object key : cif.keySet()) { + JSONObject tmp = (JSONObject) cif.get(key); + cnt = cnt + tmp.size(); + if (tmp.size() > 0) + enriched_key = key; + } + + if (cnt == 0) { + System.out.println("TAG HAS NO ELEMENTS"); + return null; + } + + JSONObject alert = new JSONObject(); + + String source = "unknown"; + String dest = "unknown"; + String host = "unknown"; + + if (content.containsKey("ip_src_addr")) { + source = content.get("ip_src_addr").toString(); + + if (RangeChecker.checkRange(loaded_whitelist, source)) + host = source; + } + + if (content.containsKey("ip_dst_addr")) { + dest = content.get("ip_dst_addr").toString(); + + if (RangeChecker.checkRange(loaded_whitelist, dest)) + host = dest; + } + + JSONObject cifQualifier = (JSONObject) cif.get(enriched_key); + + alert.put("designated_host", host); + String description = new StringBuilder() + .append(host) + .append(" communicated with a host (") + .append(content.get(enriched_key).toString()) + .append(") identified as ") + .append(cifQualifier.keySet().iterator().next().toString()) + .append(" by CIF") + .toString(); + alert.put("description", description); + alert.put("priority", "MED"); + + String alert_id = generateAlertId(source, dest, 0); + + alert.put("alert_id", alert_id); + alerts.put(alert_id, alert); + + alert.put("enrichment", enrichment); + + return alerts; + } else { + System.out.println("DID NOT FIND TAG: " + enrichment_tag); + return null; + } + + } + + @Override + public boolean containsAlertId(String alert) { + // TODO Auto-generated method stub + return false; + } + + protected String generateAlertId(String source_ip, String dst_ip, + int alert_type) { + + String key = makeKey(source_ip, dst_ip, alert_type); + + if (cache.getIfPresent(key) != null) + return cache.getIfPresent(key); + + String new_UUID = System.currentTimeMillis() + "-" + UUID.randomUUID(); + + cache.put(key, new_UUID); + key = makeKey(dst_ip, source_ip, alert_type); + cache.put(key, new_UUID); + + return new_UUID; + + } + + private String makeKey(String ip1, String ip2, int alert_type) { + return (ip1 + "-" + ip2 + "-" + alert_type); + } +} diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/HbaseWhiteAndBlacklistAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/HbaseWhiteAndBlacklistAdapter.java index 6bfed8574c..d8bbf162d5 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/HbaseWhiteAndBlacklistAdapter.java +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/HbaseWhiteAndBlacklistAdapter.java @@ -1,6 +1,5 @@ package com.opensoc.alerts.adapters; -import java.io.IOException; import java.io.Serializable; import java.util.HashMap; import java.util.HashSet; @@ -12,7 +11,6 @@ import org.apache.commons.validator.routines.InetAddressValidator; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; -import org.apache.hadoop.hbase.client.Get; import org.apache.hadoop.hbase.client.HBaseAdmin; import org.apache.hadoop.hbase.client.HConnection; import org.apache.hadoop.hbase.client.HConnectionManager; @@ -43,41 +41,73 @@ public class HbaseWhiteAndBlacklistAdapter implements AlertsAdapter, String _topologyname; Configuration conf = null; - Cachecache; + Cache cache; String _topology_name; - + Set loaded_whitelist = new HashSet(); Set loaded_blacklist = new HashSet(); protected static final Logger LOG = LoggerFactory .getLogger(HbaseWhiteAndBlacklistAdapter.class); - public HbaseWhiteAndBlacklistAdapter(String whitelist_table_name, - String blacklist_table_name, String quorum, String port, - int _MAX_TIME_RETAIN, int _MAX_CACHE_SIZE) { + public HbaseWhiteAndBlacklistAdapter(Map config) { - _whitelist_table_name = whitelist_table_name; - _blacklist_table_name = blacklist_table_name; - _quorum = quorum; - _port = port; + try { + if(!config.containsKey("whitelist_table_name")) + throw new Exception("Whitelist table name is missing"); + + _whitelist_table_name = config.get("whitelist_table_name"); + + if(!config.containsKey("blacklist_table_name")) + throw new Exception("Blacklist table name is missing"); + + _blacklist_table_name = config.get("blacklist_table_name"); + + if(!config.containsKey("quorum")) + throw new Exception("Quorum name is missing"); + + _quorum = config.get("quorum"); + + if(!config.containsKey("port")) + throw new Exception("port name is missing"); + + _port = config.get("port"); - cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE) - .expireAfterWrite(_MAX_TIME_RETAIN, TimeUnit.MINUTES).build(); + if(!config.containsKey("_MAX_CACHE_SIZE_OBJECTS_NUM")) + throw new Exception("_MAX_CACHE_SIZE_OBJECTS_NUM name is missing"); + + int _MAX_CACHE_SIZE_OBJECTS_NUM = Integer.parseInt(config + .get("_MAX_CACHE_SIZE_OBJECTS_NUM")); + + if(!config.containsKey("_MAX_TIME_RETAIN_MINUTES")) + throw new Exception("_MAX_TIME_RETAIN_MINUTES name is missing"); + + int _MAX_TIME_RETAIN_MINUTES = Integer.parseInt(config + .get("_MAX_TIME_RETAIN_MINUTES")); - } - + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES) + .build(); + } catch (Exception e) { + System.out.println("Could not initialize Alerts Adapter"); + e.printStackTrace(); + System.exit(0); + } + } public boolean initialize() { conf = HBaseConfiguration.create(); - conf.set("hbase.zookeeper.quorum", _quorum); - conf.set("hbase.zookeeper.property.clientPort", _port); + //conf.set("hbase.zookeeper.quorum", _quorum); + //conf.set("hbase.zookeeper.property.clientPort", _port); - LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); + LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); LOG.trace("[OpenSOC] Whitelist table name: " + _whitelist_table_name); LOG.trace("[OpenSOC] Whitelist table name: " + _blacklist_table_name); - LOG.trace("[OpenSOC] ZK Client/port: " + conf.get("hbase.zookeeper.quorum") + " -> " + conf.get("hbase.zookeeper.property.clientPort")); + LOG.trace("[OpenSOC] ZK Client/port: " + + conf.get("hbase.zookeeper.quorum") + " -> " + + conf.get("hbase.zookeeper.property.clientPort")); try { @@ -97,18 +127,15 @@ public boolean initialize() { whitelist_table = new HTable(conf, _whitelist_table_name); - LOG.trace("[OpenSOC] CONNECTED TO TABLE: " - + _whitelist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _whitelist_table_name); blacklist_table = new HTable(conf, _blacklist_table_name); - LOG.trace("[OpenSOC] CONNECTED TO TABLE: " - + _blacklist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _blacklist_table_name); if (connection == null || whitelist_table == null || blacklist_table == null) throw new Exception("Unable to initialize hbase connection"); - - Scan scan = new Scan(); + Scan scan = new Scan(); ResultScanner rs = whitelist_table.getScanner(scan); try { @@ -120,16 +147,15 @@ public boolean initialize() { e.printStackTrace(); } finally { rs.close(); // always close the ResultScanner! + hba.close(); } whitelist_table.close(); LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); - - - scan = new Scan(); + scan = new Scan(); - rs = blacklist_table.getScanner(scan); + rs = blacklist_table.getScanner(scan); try { for (Result r = rs.next(); r != null; r = rs.next()) { loaded_blacklist.add(Bytes.toString(r.getRow())); @@ -139,11 +165,15 @@ public boolean initialize() { e.printStackTrace(); } finally { rs.close(); // always close the ResultScanner! + hba.close(); } blacklist_table.close(); LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + rs.close(); // always close the ResultScanner! + hba.close(); + return true; } catch (Exception e) { @@ -172,7 +202,6 @@ protected String generateAlertId(String source_ip, String dst_ip, } - public boolean refresh() throws Exception { // TODO Auto-generated method stub return false; @@ -188,8 +217,13 @@ public Map alert(JSONObject raw_message) { Map alerts = new HashMap(); JSONObject content = (JSONObject) raw_message.get("message"); - - if (!content.containsKey("ip_src_addr") || !content.containsKey("ip_dst_addr") ) { + JSONObject enrichment = null; + + if (raw_message.containsKey("enrichment")) + enrichment = (JSONObject) raw_message.get("enrichment"); + + if (!content.containsKey("ip_src_addr") + || !content.containsKey("ip_dst_addr")) { int alert_type = 0; @@ -201,17 +235,18 @@ public Map alert(JSONObject raw_message) { alert.put("designated_host", "Uknown"); alert.put("source", "NA"); alert.put("dest", "NA"); - alert.put( - "body", - "Source or destination IP is missing"); + alert.put("body", "Source or destination IP is missing"); String alert_id = UUID.randomUUID().toString(); alert.put("reference_id", alert_id); alerts.put(alert_id, alert); + if (enrichment != null) + alert.put("enrichment", enrichment); + LOG.trace("[OpenSOC] Returning alert: " + alerts); - + return alerts; } @@ -240,7 +275,9 @@ public Map alert(JSONObject raw_message) { alert.put("reference_id", alert_id); alerts.put(alert_id, alert); - + if (enrichment != null) + alert.put("enrichment", enrichment); + LOG.trace("[OpenSOC] Returning alert: " + alerts); return alerts; @@ -268,7 +305,9 @@ public Map alert(JSONObject raw_message) { alert.put("reference_id", alert_id); alerts.put(alert_id, alert); - + if (enrichment != null) + alert.put("enrichment", enrichment); + LOG.trace("[OpenSOC] Returning alert: " + alerts); return alerts; @@ -281,7 +320,6 @@ public Map alert(JSONObject raw_message) { designated_host = source_ip; else if (loaded_whitelist.contains(dst_ip)) designated_host = dst_ip; - if (designated_host == null) { int alert_type = 3; @@ -303,7 +341,9 @@ else if (loaded_whitelist.contains(dst_ip)) alert.put("reference_id", alert_id); alerts.put(alert_id, alert); - + if (enrichment != null) + alert.put("enrichment", enrichment); + LOG.trace("[OpenSOC] Returning alert: " + alerts); return alerts; @@ -331,6 +371,8 @@ else if (loaded_whitelist.contains(dst_ip)) alert.put("reference_id", alert_id); alerts.put(alert_id, alert); + if (enrichment != null) + alert.put("enrichment", enrichment); } @@ -355,6 +397,8 @@ else if (loaded_whitelist.contains(dst_ip)) alert.put("reference_id", alert_id); alerts.put(alert_id, alert); + if (enrichment != null) + alert.put("enrichment", enrichment); } @@ -378,6 +422,8 @@ else if (loaded_whitelist.contains(dst_ip)) alert.put("reference_id", alert_id); alerts.put(alert_id, alert); + if (enrichment != null) + alert.put("enrichment", enrichment); } @@ -401,6 +447,8 @@ else if (loaded_whitelist.contains(dst_ip)) alert.put("reference_id", alert_id); alerts.put(alert_id, alert); + if (enrichment != null) + alert.put("enrichment", enrichment); } @@ -410,8 +458,6 @@ else if (loaded_whitelist.contains(dst_ip)) return alerts; } - - public boolean containsAlertId(String alert) { // TODO Auto-generated method stub return false; diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/KeywordsAlertAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/KeywordsAlertAdapter.java new file mode 100644 index 0000000000..e4df273d73 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/KeywordsAlertAdapter.java @@ -0,0 +1,274 @@ +package com.opensoc.alerts.adapters; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.TimeUnit; + +import org.apache.commons.validator.routines.InetAddressValidator; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.HBaseAdmin; +import org.apache.hadoop.hbase.client.HConnection; +import org.apache.hadoop.hbase.client.HConnectionManager; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.HTableInterface; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.util.Bytes; +import org.json.simple.JSONObject; +import org.apache.log4j.Logger; +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; + +import com.opensoc.alerts.interfaces.AlertsAdapter; + +public class KeywordsAlertAdapter extends AbstractAlertAdapter { + + HTableInterface blacklist_table; + HTableInterface whitelist_table; + InetAddressValidator ipvalidator = new InetAddressValidator(); + String _whitelist_table_name; + String _blacklist_table_name; + String _quorum; + String _port; + String _topologyname; + Configuration conf = null; + + String _topology_name; + + Set loaded_whitelist = new HashSet(); + Set loaded_blacklist = new HashSet(); + + List keywordList; + List keywordExceptionList; + + protected static final Logger LOG = Logger.getLogger(AllAlertAdapter.class); + + public KeywordsAlertAdapter(Map config) { + try { + + if(!config.containsKey("keywords")) + throw new Exception("Keywords are missing"); + + keywordList = Arrays.asList(config.get("keywords").split("\\|")); + + if( config.containsKey("exceptions")) { + keywordExceptionList = Arrays.asList(config.get("exceptions").split("\\|")); + } else { + keywordExceptionList = new ArrayList(); + } + + if(!config.containsKey("whitelist_table_name")) + throw new Exception("Whitelist table name is missing"); + + _whitelist_table_name = config.get("whitelist_table_name"); + + if(!config.containsKey("blacklist_table_name")) + throw new Exception("Blacklist table name is missing"); + + _blacklist_table_name = config.get("blacklist_table_name"); + + if(!config.containsKey("quorum")) + throw new Exception("Quorum name is missing"); + + _quorum = config.get("quorum"); + + if(!config.containsKey("port")) + throw new Exception("port name is missing"); + + _port = config.get("port"); + + if(!config.containsKey("_MAX_CACHE_SIZE_OBJECTS_NUM")) + throw new Exception("_MAX_CACHE_SIZE_OBJECTS_NUM name is missing"); + + int _MAX_CACHE_SIZE_OBJECTS_NUM = Integer.parseInt(config + .get("_MAX_CACHE_SIZE_OBJECTS_NUM")); + + if(!config.containsKey("_MAX_TIME_RETAIN_MINUTES")) + throw new Exception("_MAX_TIME_RETAIN_MINUTES name is missing"); + + int _MAX_TIME_RETAIN_MINUTES = Integer.parseInt(config + .get("_MAX_TIME_RETAIN_MINUTES")); + + generateCache(_MAX_CACHE_SIZE_OBJECTS_NUM, _MAX_TIME_RETAIN_MINUTES); + + } catch (Exception e) { + System.out.println("Could not initialize Alerts Adapter"); + e.printStackTrace(); + System.exit(0); + } + } + + @Override + public boolean initialize() { + conf = HBaseConfiguration.create(); + //conf.set("hbase.zookeeper.quorum", _quorum); + //conf.set("hbase.zookeeper.property.clientPort", _port); + + LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); + LOG.trace("[OpenSOC] Whitelist table name: " + _whitelist_table_name); + LOG.trace("[OpenSOC] Whitelist table name: " + _blacklist_table_name); + LOG.trace("[OpenSOC] ZK Client/port: " + + conf.get("hbase.zookeeper.quorum") + " -> " + + conf.get("hbase.zookeeper.property.clientPort")); + + try { + + LOG.trace("[OpenSOC] Attempting to connect to hbase"); + + HConnection connection = HConnectionManager.createConnection(conf); + + LOG.trace("[OpenSOC] CONNECTED TO HBASE"); + + HBaseAdmin hba = new HBaseAdmin(conf); + + if (!hba.tableExists(_whitelist_table_name)) + throw new Exception("Whitelist table doesn't exist"); + + if (!hba.tableExists(_blacklist_table_name)) + throw new Exception("Blacklist table doesn't exist"); + + whitelist_table = new HTable(conf, _whitelist_table_name); + + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _whitelist_table_name); + blacklist_table = new HTable(conf, _blacklist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _blacklist_table_name); + + if (connection == null || whitelist_table == null + || blacklist_table == null) + throw new Exception("Unable to initialize hbase connection"); + + Scan scan = new Scan(); + + ResultScanner rs = whitelist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_whitelist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + whitelist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + System.out.println("LOADED WHITELIST IS: "); + + for(String str: loaded_whitelist) + System.out.println("WHITELIST: " + str); + + scan = new Scan(); + + rs = blacklist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_blacklist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + blacklist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + rs.close(); // always close the ResultScanner! + hba.close(); + + return true; + } catch (Exception e) { + + e.printStackTrace(); + } + + return false; + } + + @Override + public boolean refresh() throws Exception { + // TODO Auto-generated method stub + return false; + } + + @Override + public boolean containsAlertId(String alert) { + // TODO Auto-generated method stub + return false; + } + + @Override + public Map alert(JSONObject raw_message) { + + Map alerts = new HashMap(); + JSONObject content = (JSONObject) raw_message.get("message"); + + JSONObject enrichment = null; + if (raw_message.containsKey("enrichment")) + enrichment = (JSONObject) raw_message.get("enrichment"); + + for (String keyword : keywordList) { + if (content.toString().contains(keyword)) { + + //check it doesn't have an "exception" keyword in it + for (String exception : keywordExceptionList) { + if (content.toString().contains(exception)) { + LOG.info("[OpenSOC] KeywordAlertsAdapter: Omitting alert due to exclusion: " + exception); + return null; + } + } + + LOG.info("[OpenSOC] KeywordAlertsAdapter: Found match for " + keyword); + JSONObject alert = new JSONObject(); + + String source = "unknown"; + String dest = "unknown"; + String host = "unknown"; + + if (content.containsKey("ip_src_addr")) + { + source = content.get("ip_src_addr").toString(); + + if(RangeChecker.checkRange(loaded_whitelist, source)) + host = source; + } + + if (content.containsKey("ip_dst_addr")) + { + dest = content.get("ip_dst_addr").toString(); + + if(RangeChecker.checkRange(loaded_whitelist, dest)) + host = dest; + } + + alert.put("designated_host", host); + alert.put("description", content.get("original_string").toString()); + alert.put("priority", "MED"); + + String alert_id = generateAlertId(source, dest, 0); + + alert.put("alert_id", alert_id); + alerts.put(alert_id, alert); + + alert.put("enrichment", enrichment); + + return alerts; + } + } + + return null; + } + +} diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/RangeChecker.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/RangeChecker.java new file mode 100644 index 0000000000..1999a624e6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/RangeChecker.java @@ -0,0 +1,23 @@ +package com.opensoc.alerts.adapters; + +import java.util.Set; + +import org.apache.commons.net.util.SubnetUtils; + +public class RangeChecker { + + static boolean checkRange(Set CIDR_networks, String ip) { + for (String network : CIDR_networks) { + + System.out.println("Looking at range: " + network + " and ip " + ip); + SubnetUtils utils = new SubnetUtils(network); + if(utils.getInfo().isInRange(ip)) { + System.out.println(ip + " in range " + network); + return true; + } + } + + //no matches + return false; + } +} diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/ThreatAlertsAdapter.java b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/ThreatAlertsAdapter.java new file mode 100644 index 0000000000..c85087dfe2 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/java/com/opensoc/alerts/adapters/ThreatAlertsAdapter.java @@ -0,0 +1,311 @@ +package com.opensoc.alerts.adapters; + +import java.io.Serializable; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; +import java.util.UUID; +import java.util.concurrent.TimeUnit; + +import org.apache.commons.validator.routines.InetAddressValidator; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.HBaseAdmin; +import org.apache.hadoop.hbase.client.HConnection; +import org.apache.hadoop.hbase.client.HConnectionManager; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.HTableInterface; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.util.Bytes; +import org.json.simple.JSONObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.common.cache.Cache; +import com.google.common.cache.CacheBuilder; +import com.opensoc.alerts.interfaces.AlertsAdapter; + +@SuppressWarnings("serial") +public class ThreatAlertsAdapter implements AlertsAdapter, Serializable { + + String enrichment_tag; + + HTableInterface blacklist_table; + HTableInterface whitelist_table; + InetAddressValidator ipvalidator = new InetAddressValidator(); + String _whitelist_table_name; + String _blacklist_table_name; + String _quorum; + String _port; + String _topologyname; + Configuration conf = null; + + Cache cache; + String _topology_name; + + Set loaded_whitelist = new HashSet(); + Set loaded_blacklist = new HashSet(); + + protected static final Logger LOG = LoggerFactory + .getLogger(ThreatAlertsAdapter.class); + + public ThreatAlertsAdapter(Map config) { + try { + + if (!config.containsKey("whitelist_table_name")) + throw new Exception("Whitelist table name is missing"); + + _whitelist_table_name = config.get("whitelist_table_name"); + + if (!config.containsKey("blacklist_table_name")) + throw new Exception("Blacklist table name is missing"); + + _blacklist_table_name = config.get("blacklist_table_name"); + + if (!config.containsKey("quorum")) + throw new Exception("Quorum name is missing"); + + _quorum = config.get("quorum"); + + if (!config.containsKey("port")) + throw new Exception("port name is missing"); + + _port = config.get("port"); + + if (!config.containsKey("_MAX_CACHE_SIZE_OBJECTS_NUM")) + throw new Exception("_MAX_CACHE_SIZE_OBJECTS_NUM name is missing"); + + int _MAX_CACHE_SIZE_OBJECTS_NUM = Integer.parseInt(config + .get("_MAX_CACHE_SIZE_OBJECTS_NUM")); + + if (!config.containsKey("_MAX_TIME_RETAIN_MINUTES")) + throw new Exception("_MAX_TIME_RETAIN_MINUTES name is missing"); + + int _MAX_TIME_RETAIN_MINUTES = Integer.parseInt(config + .get("_MAX_TIME_RETAIN_MINUTES")); + + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES) + .build(); + + enrichment_tag = config.get("enrichment_tag"); + + } catch (Exception e) { + System.out.println("Could not initialize alerts adapter"); + e.printStackTrace(); + System.exit(0); + } + } + + @SuppressWarnings("resource") + @Override + public boolean initialize() { + + conf = HBaseConfiguration.create(); + // conf.set("hbase.zookeeper.quorum", _quorum); + // conf.set("hbase.zookeeper.property.clientPort", _port); + + LOG.trace("[OpenSOC] Connecting to hbase with conf:" + conf); + LOG.trace("[OpenSOC] Whitelist table name: " + _whitelist_table_name); + LOG.trace("[OpenSOC] Whitelist table name: " + _blacklist_table_name); + LOG.trace("[OpenSOC] ZK Client/port: " + + conf.get("hbase.zookeeper.quorum") + " -> " + + conf.get("hbase.zookeeper.property.clientPort")); + + try { + + LOG.trace("[OpenSOC] Attempting to connect to hbase"); + + HConnection connection = HConnectionManager.createConnection(conf); + + LOG.trace("[OpenSOC] CONNECTED TO HBASE"); + + HBaseAdmin hba = new HBaseAdmin(conf); + + if (!hba.tableExists(_whitelist_table_name)) + throw new Exception("Whitelist table doesn't exist"); + + if (!hba.tableExists(_blacklist_table_name)) + throw new Exception("Blacklist table doesn't exist"); + + whitelist_table = new HTable(conf, _whitelist_table_name); + + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _whitelist_table_name); + blacklist_table = new HTable(conf, _blacklist_table_name); + LOG.trace("[OpenSOC] CONNECTED TO TABLE: " + _blacklist_table_name); + + if (connection == null || whitelist_table == null + || blacklist_table == null) + throw new Exception("Unable to initialize hbase connection"); + + Scan scan = new Scan(); + + ResultScanner rs = whitelist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_whitelist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + whitelist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + scan = new Scan(); + + rs = blacklist_table.getScanner(scan); + try { + for (Result r = rs.next(); r != null; r = rs.next()) { + loaded_blacklist.add(Bytes.toString(r.getRow())); + } + } catch (Exception e) { + LOG.trace("[OpenSOC] COULD NOT READ FROM HBASE"); + e.printStackTrace(); + } finally { + rs.close(); // always close the ResultScanner! + hba.close(); + } + blacklist_table.close(); + + LOG.trace("[OpenSOC] READ IN WHITELIST: " + loaded_whitelist.size()); + + rs.close(); // always close the ResultScanner! + hba.close(); + + return true; + } catch (Exception e) { + + e.printStackTrace(); + } + + return false; + + } + + @Override + public boolean refresh() throws Exception { + return true; + } + + @SuppressWarnings("unchecked") + @Override + public Map alert(JSONObject raw_message) { + + System.out.println("LOOKING FOR ENRICHMENT TAG: " + enrichment_tag); + + Map alerts = new HashMap(); + JSONObject content = (JSONObject) raw_message.get("message"); + + JSONObject enrichment = null; + + if (raw_message.containsKey("enrichment")) + enrichment = (JSONObject) raw_message.get("enrichment"); + else + return null; + + if (enrichment.containsKey(enrichment_tag)) { + + System.out.println("FOUND TAG: " + enrichment_tag); + + JSONObject threat = (JSONObject) enrichment.get(enrichment_tag); + + int cnt = 0; + Object enriched_key = null; + + for (Object key : threat.keySet()) { + JSONObject tmp = (JSONObject) threat.get(key); + cnt = cnt + tmp.size(); + if (tmp.size() > 0) + enriched_key = key; + } + + if (cnt == 0) { + System.out.println("TAG HAS NO ELEMENTS"); + return null; + } + + JSONObject alert = new JSONObject(); + + String source = "unknown"; + String dest = "unknown"; + String host = "unknown"; + + if (content.containsKey("ip_src_addr")) { + source = content.get("ip_src_addr").toString(); + + if (RangeChecker.checkRange(loaded_whitelist, source)) + host = source; + } + + if (content.containsKey("ip_dst_addr")) { + dest = content.get("ip_dst_addr").toString(); + + if (RangeChecker.checkRange(loaded_whitelist, dest)) + host = dest; + } + + JSONObject threatQualifier = (JSONObject) threat.get(enriched_key); + + alert.put("designated_host", host); + String description = + + new StringBuilder() + .append("Threat Intelligence match for ") + .append(content.get(enriched_key).toString()) + .append(" from source: ") + .append(threatQualifier.keySet().iterator().next().toString()) + .toString(); + alert.put("description", description); + alert.put("priority", "MED"); + + String alert_id = generateAlertId(source, dest, 0); + + alert.put("alert_id", alert_id); + alerts.put(alert_id, alert); + + alert.put("enrichment", enrichment); + + return alerts; + } else { + System.out.println("DID NOT FIND TAG: " + enrichment_tag); + return null; + } + + } + + @Override + public boolean containsAlertId(String alert) { + // TODO Auto-generated method stub + return false; + } + + protected String generateAlertId(String source_ip, String dst_ip, + int alert_type) { + + String key = makeKey(source_ip, dst_ip, alert_type); + + if (cache.getIfPresent(key) != null) + return cache.getIfPresent(key); + + String new_UUID = System.currentTimeMillis() + "-" + UUID.randomUUID(); + + cache.put(key, new_UUID); + key = makeKey(dst_ip, source_ip, alert_type); + cache.put(key, new_UUID); + + return new_UUID; + + } + + private String makeKey(String ip1, String ip2, int alert_type) { + return (ip1 + "-" + ip2 + "-" + alert_type); + } +} diff --git a/opensoc-streaming/OpenSOC-Alerts/src/main/resources/hbase-site.xml b/opensoc-streaming/OpenSOC-Alerts/src/main/resources/hbase-site.xml index dc7cba5ab8..8d812a9358 100644 --- a/opensoc-streaming/OpenSOC-Alerts/src/main/resources/hbase-site.xml +++ b/opensoc-streaming/OpenSOC-Alerts/src/main/resources/hbase-site.xml @@ -1,90 +1,131 @@ - - - - - hbase.regionserver.global.memstore.lowerLimit - 0.38 - - - zookeeper.session.timeout - 20 - - - - hbase.security.authorization - false - - - hbase.cluster.distributed - true - - - - hbase.hstore.flush.retries.number - 120 - - - hbase.hregion.memstore.block.multiplier - 4 - - - hbase.hstore.blockingStoreFiles - 200 - - - hbase.defaults.for.version.skip - true - - - hbase.regionserver.global.memstore.upperLimit - 0.4 - - - hbase.hregion.memstore.mslab.enabled - true - - - hbase.client.keyvalue.maxsize - 10485760 - - - hbase.superuser - hbase - - - hfile.block.cache.size - 0.40 - - - zookeeper.znode.parent - /hbase-unsecure - - - hbase.hregion.max.filesize - 10737418240 - - - hbase.zookeeper.property.clientPort - 2181 - - - hbase.security.authentication - simple - - - hbase.client.scanner.caching - 100 - - - hbase.hregion.memstore.flush.size - 134217728 - - - hbase.hregion.majorcompaction - 86400000 - - - hbase.client.write.buffer - 500000000 - - \ No newline at end of file + + + + hbase.tmp.dir + /disk/h/hbase + + + hbase.hregion.memstore.chunkpool.maxsize + 0.5 + + + hbase.regionserver.codecs + lzo,gz,snappy + + + hbase.hstore.flush.retries.number + 120 + + + hbase.client.keyvalue.maxsize + 10485760 + + + hbase.rootdir + hdfs://nn1:8020/apps/hbase/data + + + hbase.defaults.for.version.skip + true + + + hbase.client.scanner.caching + 100 + + + hbase.superuser + hbase + + + hfile.block.cache.size + 0.40 + + + hbase.regionserver.checksum.verify + true + + + hbase.hregion.memstore.mslab.enabled + true + + + hbase.hregion.max.filesize + 107374182400 + + + hbase.cluster.distributed + true + + + zookeeper.session.timeout + 30000 + + + zookeeper.znode.parent + /hbase-unsecure + + + hbase.regionserver.global.memstore.lowerLimit + 0.38 + + + hbase.regionserver.handler.count + 240 + + + hbase.hregion.memstore.mslab.chunksize + 8388608 + + + hbase.zookeeper.quorum + zkpr1,zkpr2,zkpr3 + + + hbase.zookeeper.useMulti + true + + + hbase.hregion.majorcompaction + 86400000 + + + hbase.hstore.blockingStoreFiles + 200 + + + hbase.zookeeper.property.clientPort + 2181 + + + hbase.hregion.memstore.flush.size + 134217728 + + + hbase.security.authorization + false + + + hbase.regionserver.global.memstore.upperLimit + 0.4 + + + hbase.hstore.compactionThreshold + 4 + + + hbase.hregion.memstore.block.multiplier + 8 + + + hbase.security.authentication + simple + + + dfs.client.read.shortcircuit + true + + + dfs.domain.socket.path + /var/run/hdfs/dn_socket + + \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Alerts/src/test/java/com/opensoc/alerts/adapters/AllAlertAdapterTest.java b/opensoc-streaming/OpenSOC-Alerts/src/test/java/com/opensoc/alerts/adapters/AllAlertAdapterTest.java new file mode 100644 index 0000000000..65c74c0ca0 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/test/java/com/opensoc/alerts/adapters/AllAlertAdapterTest.java @@ -0,0 +1,166 @@ + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.alerts.adapters; + +import java.lang.reflect.Constructor; +import java.util.Map; +import java.util.Properties; + +import com.opensoc.test.AbstractConfigTest; +import com.opensoc.alerts.adapters.AllAlertAdapter; + + /** + *
    + *
  • Title: AllAlertAdapterTest
    • + *
  • Description: Tests for AllAlertAdapter
    • + *
  • Created: Oct 8, 2014
    • + *
+ * @version $Revision: 1.1 $ + */ +public class AllAlertAdapterTest extends AbstractConfigTest { + + /** + * The allAlertAdapter. + */ + private static AllAlertAdapter allAlertAdapter=null; + + /** + * The connected. + */ + private static boolean connected=false; + + /** + * Constructs a new AllAlertAdapterTest instance. + * @param name + */ + public AllAlertAdapterTest(String name) { + super(name); + } + + /** + * @throws java.lang.Exception + */ + protected static void setUpBeforeClass() throws Exception { + } + + /** + * @throws java.lang.Exception + */ + protected static void tearDownAfterClass() throws Exception { + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + + @SuppressWarnings("unchecked") + protected void setUp() throws Exception { + super.setUp("com.opensoc.alerts.adapters.AllAlertAdapter"); + Properties prop = super.getTestProperties(); + assertNotNull(prop); + // this.setMode("global"); + if(skipTests(this.getMode())){ + System.out.println(getClass().getName()+" Skipping Tests !!Local Mode"); + return;//skip tests + }else{ + Map settings = super.getSettings(); + @SuppressWarnings("rawtypes") + Class loaded_class = Class.forName("com.opensoc.alerts.adapters.AllAlertAdapter"); + @SuppressWarnings("rawtypes") + Constructor constructor = loaded_class.getConstructor(new Class[] { Map.class}); + + AllAlertAdapterTest.allAlertAdapter = (AllAlertAdapter) constructor.newInstance(settings); + // AllAlertAdapterTest.allAlertAdapter = new AllAlertAdapter(settings) + } + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#tearDown() + */ + + protected void tearDown() throws Exception { + super.tearDown(); + } + + + /** + * Test method for {@link com.opensoc.alerts.adapters.AlllterAdapter#initialize()}. + */ + public void testInitializeAdapter() { + if(skipTests(this.getMode())){ + return;//skip tests + }else{ + + boolean initialized =AllAlertAdapterTest.getAllAlertAdapter().initialize(); + assertTrue(initialized); + } + } + + /** + * Test method for containsAlertId(@link com.opensoc.alerts.adapters.AlllterAdapter#containsAlertId()}. + */ + public void testContainsAlertId(){ + if(skipTests(this.getMode())){ + return;//skip tests + }else{ + boolean containsAlert =AllAlertAdapterTest.getAllAlertAdapter().containsAlertId("test"); + assertFalse(containsAlert); + } + } + + + + /** + * Returns the allAlertAdapter. + * @return the allAlertAdapter. + */ + + public static AllAlertAdapter getAllAlertAdapter() { + return allAlertAdapter; + } + + /** + * Sets the allAlertAdapter. + * @param allAlertAdapter the allAlertAdapter. + */ + + public static void setAllAlertAdapter(AllAlertAdapter allAlertAdapter) { + + AllAlertAdapterTest.allAlertAdapter = allAlertAdapter; + } + /** + * Returns the connected. + * @return the connected. + */ + + public static boolean isConnected() { + return connected; + } + + /** + * Sets the connected. + * @param connected the connected. + */ + + public static void setConnected(boolean connected) { + + AllAlertAdapterTest.connected = connected; + } +} + diff --git a/opensoc-streaming/OpenSOC-Alerts/src/test/resources/AllAlertAdapterTest.properties b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/AllAlertAdapterTest.properties new file mode 100644 index 0000000000..8b13789179 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/AllAlertAdapterTest.properties @@ -0,0 +1 @@ + diff --git a/opensoc-streaming/OpenSOC-Alerts/src/test/resources/TestSchemas/AllAlertAdapterSchema.json b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/TestSchemas/AllAlertAdapterSchema.json new file mode 100644 index 0000000000..c4f2a82ed2 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/TestSchemas/AllAlertAdapterSchema.json @@ -0,0 +1,42 @@ +{ +"title": "GeoMySql Schema", +"type": "object", +"properties": { + + "city" : { + "type": "string" + }, + "country" : { + "type": "string" + }, + "dmaCode" : + { + "type": "string" + }, + "geoHash" : + { + "type": "string" + }, + "latitude" : + { + "type": "string" + }, + "locID" : + { + "type": "string" + }, + "location_point" : + { + "type": "string" + }, + "longitude" : + { + "type": "string" + }, + "postalCode" : + { + "type": "string" + } + }, + "required": ["city", "country", "dmaCode","latitude","locID","location_point","postalCode"] +} diff --git a/opensoc-streaming/OpenSOC-Alerts/src/test/resources/config/AllAlertAdapterTest.config b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/config/AllAlertAdapterTest.config new file mode 100644 index 0000000000..f6e5dd1f24 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Alerts/src/test/resources/config/AllAlertAdapterTest.config @@ -0,0 +1,8 @@ +#Alerts Bolt +bolt.alerts.adapter=com.opensoc.alerts.adapters.AllAlertAdapter +com.opensoc.alerts.adapters.AllAlertAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.AllAlertAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.AllAlertAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.AllAlertAdapter.port=2181 +com.opensoc.alerts.adapters.AllAlertAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.AllAlertAdapter._MAX_TIME_RETAIN_MINUTES=1000 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Common/.gitignore b/opensoc-streaming/OpenSOC-Common/.gitignore new file mode 100644 index 0000000000..b83d22266a --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/.gitignore @@ -0,0 +1 @@ +/target/ diff --git a/opensoc-streaming/OpenSOC-Common/pom.xml b/opensoc-streaming/OpenSOC-Common/pom.xml index 582093d5e6..ad1382f2bb 100644 --- a/opensoc-streaming/OpenSOC-Common/pom.xml +++ b/opensoc-streaming/OpenSOC-Common/pom.xml @@ -15,21 +15,23 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-Common OpenSOC-Common Components common to all enrichments + UTF-8 + UTF-8 0.8.0 1.10 0.98.5-hadoop2 - Kraken-Repo - Kraken Repository - http://download.krakenapps.org + OpenSOC-Kraken-Repo + OpenSOC Kraken Repository + https://raw.github.com/opensoc/kraken/mvn-repo @@ -43,6 +45,15 @@ storm-core ${global_storm_version} provided + + + + servlet-api + + javax.servlet + + + org.apache.kafka @@ -82,7 +93,7 @@ org.krakenapps kraken-pcap - 1.5.0 + 1.7.1 junit @@ -93,6 +104,21 @@ org.apache.hbase hbase-client ${hbase.version} + + + org.slf4j + slf4j-log4j12 + + + log4j + log4j + + + + + com.github.fge + json-schema-validator + ${global_json_schema_validator_version} @@ -123,6 +149,18 @@ + + + org.apache.maven.plugins + maven-compiler-plugin + 3.1 + + 1.7 + -Xlint:unchecked + 1.7 + + + src/main/resources diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/configuration/ConfigurationManager.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/configuration/ConfigurationManager.java new file mode 100644 index 0000000000..74f19a5a5c --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/configuration/ConfigurationManager.java @@ -0,0 +1,119 @@ +package com.opensoc.configuration; + + + +import java.io.File; +import java.util.HashMap; +import java.util.Map; + +import org.apache.commons.configuration.CombinedConfiguration; +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.DefaultConfigurationBuilder; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +/** + * Configuration manager class which loads all 'config-definition.xml' files and + * creates a Configuration object which holds all properties from the underlying + * configuration resource + */ +public class ConfigurationManager { + + /** configuration definition file name. */ + private static String DEFAULT_CONFIG_DEFINITION_FILE_NAME = "config-definition.xml"; + + /** Stores a map with the configuration for each path specified. */ + private static Map configurationsCache = new HashMap(); + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(ConfigurationManager.class); + + /** + * Common method to load content of all configuration resources defined in + * 'config-definition.xml'. + * + * @param configDefFilePath + * the config def file path + * @return Configuration + */ + public static Configuration getConfiguration(String configDefFilePath) { + if (configurationsCache.containsKey(configDefFilePath)) { + return configurationsCache.get(configDefFilePath); + } + CombinedConfiguration configuration = null; + synchronized (configurationsCache) { + if (configurationsCache.containsKey(configDefFilePath)) { + return configurationsCache.get(configDefFilePath); + } + DefaultConfigurationBuilder builder = new DefaultConfigurationBuilder(); + String fielPath = getConfigDefFilePath(configDefFilePath); + LOGGER.info("loading from 'configDefFilePath' :" + fielPath); + builder.setFile(new File(fielPath)); + try { + configuration = builder.getConfiguration(true); + configurationsCache.put(fielPath, configuration); + } catch (ConfigurationException e) { + LOGGER.info("Exception in loading property files.", e); + } + } + return configuration; + } + + /** + * Removes the configuration created from a config definition file located at + * 'configDefFilePath'. + * + * @param configDefFilePath + * path to the config definition file + */ + public static void clearConfiguration(String configDefFilePath) { + configurationsCache.remove(configDefFilePath); + } + + /** + * Gets the configuration. + * + * @return the configuration + */ + public static Configuration getConfiguration() { + return getConfiguration(null); + } + + /** + * Returns the 'config-definition.xml' file path. 1. If the param + * 'configDefFilePath' has a valid value, returns configDefFilePath 2. If the + * system property key 'configDefFilePath' has a valid value, returns the + * value 3. By default, it returns the file name 'config-definition.xml' + * + * @param configDefFilePath + * given input path to the config definition file + * @return the config def file path + */ + private static String getConfigDefFilePath(String configDefFilePath) { + if (StringUtils.isNotEmpty(configDefFilePath)) { + return configDefFilePath; + } + return DEFAULT_CONFIG_DEFINITION_FILE_NAME; + } + + /** + * The main method. + * + * @param args + * the args + * @throws InterruptedException + * the interrupted exception + */ + public static void main(String[] args) throws InterruptedException { + Configuration config = ConfigurationManager + .getConfiguration("/Users/Sayi/Documents/config/config-definition-dpi.xml"); + System.out.println("elastic.search.cluster =" + + config.getString("elastic.search.cluster")); + Thread.sleep(10000); + System.out.println("storm.topology.dpi.bolt.es-index.index.name =" + + config.getString("storm.topology.dpi.bolt.es-index.index.name")); + } + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/dataloads/interfaces/ThreatIntelSource.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/dataloads/interfaces/ThreatIntelSource.java new file mode 100644 index 0000000000..e19646adc8 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/dataloads/interfaces/ThreatIntelSource.java @@ -0,0 +1,11 @@ +package com.opensoc.dataloads.interfaces; + +import java.util.Iterator; +import org.apache.commons.configuration.Configuration; +import org.json.simple.JSONObject; + +public interface ThreatIntelSource extends Iterator { + + void initializeSource(Configuration config); + void cleanupSource(); +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/hbase/HBaseBolt.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/hbase/HBaseBolt.java index 9c8f604d55..ef155f1b18 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/hbase/HBaseBolt.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/hbase/HBaseBolt.java @@ -5,16 +5,9 @@ import java.io.IOException; import java.util.Map; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.hbase.HBaseConfiguration; -import org.apache.hadoop.hbase.HColumnDescriptor; -import org.apache.hadoop.hbase.HTableDescriptor; -import org.apache.hadoop.hbase.client.HBaseAdmin; import org.apache.log4j.Logger; import org.json.simple.JSONObject; -import com.opensoc.topologyhelpers.ErrorGenerator; - import backtype.storm.task.OutputCollector; import backtype.storm.task.TopologyContext; import backtype.storm.topology.IRichBolt; @@ -23,6 +16,8 @@ import backtype.storm.tuple.Tuple; import backtype.storm.tuple.Values; +import com.opensoc.helpers.topology.ErrorGenerator; + /** * A Storm bolt for putting data into HBase. *

@@ -76,12 +71,9 @@ public void execute(Tuple input) { try { this.connector.getTable().put(conf.getPutFromTuple(input)); } catch (IOException ex) { - - String error_as_string = org.apache.commons.lang.exception.ExceptionUtils - .getStackTrace(ex); JSONObject error = ErrorGenerator.generateErrorMessage( - "Alerts problem: " + input.getBinary(0), error_as_string); + "Alerts problem: " + input.getBinary(0), ex); collector.emit("error", new Values(error)); throw new RuntimeException(ex); diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/services/PcapServiceCli.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/services/PcapServiceCli.java new file mode 100644 index 0000000000..70f8683613 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/services/PcapServiceCli.java @@ -0,0 +1,110 @@ +package com.opensoc.helpers.services; + +import org.apache.commons.cli.BasicParser; +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.HelpFormatter; +import org.apache.commons.cli.Option; +import org.apache.commons.cli.Options; +import org.apache.commons.cli.ParseException; + +public class PcapServiceCli { + + private String[] args = null; + private Options options = new Options(); + + int port = 8081; + String uri = "/pcapGetter"; + + public int getPort() { + return port; + } + + public void setPort(int port) { + this.port = port; + } + + public String getUri() { + return uri; + } + + public void setUri(String uri) { + this.uri = uri; + } + + public PcapServiceCli(String[] args) { + + this.args = args; + + Option help = new Option("h", "Display help menue"); + options.addOption(help); + options.addOption( + "port", + true, + "OPTIONAL ARGUMENT [portnumber] If this argument sets the port for starting the service. If this argument is not set the port will start on defaut port 8081"); + options.addOption( + "endpoint_uri", + true, + "OPTIONAL ARGUMENT [/uri/to/service] This sets the URI for the service to be hosted. The default URI is /pcapGetter"); + } + + public void parse() { + CommandLineParser parser = new BasicParser(); + + CommandLine cmd = null; + + try { + cmd = parser.parse(options, args); + } catch (ParseException e1) { + + e1.printStackTrace(); + } + + if (cmd.hasOption("h")) + help(); + + if (cmd.hasOption("port")) { + + try { + port = Integer.parseInt(cmd.getOptionValue("port").trim()); + } catch (Exception e) { + + System.out.println("[OpenSOC] Invalid value for port entered"); + help(); + } + } + if (cmd.hasOption("endpoint_uri")) { + + try { + + if (uri == null || uri.equals("")) + throw new Exception("invalid uri"); + + uri = cmd.getOptionValue("uri").trim(); + + if (uri.charAt(0) != '/') + uri = "/" + uri; + + if (uri.charAt(uri.length()) == '/') + uri = uri.substring(0, uri.length() - 1); + + } catch (Exception e) { + System.out.println("[OpenSOC] Invalid URI entered"); + help(); + } + } + + } + + private void help() { + // This prints out some help + HelpFormatter formater = new HelpFormatter(); + + formater.printHelp("Topology Options:", options); + + // System.out + // .println("[OpenSOC] Example usage: \n storm jar OpenSOC-Topologies-0.3BETA-SNAPSHOT.jar com.opensoc.topology.Bro -local_mode true -config_path OpenSOC_Configs/ -generator_spout true"); + + System.exit(0); + } +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/Cli.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/Cli.java similarity index 99% rename from opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/Cli.java rename to opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/Cli.java index 9f8bae3fd2..0d9486e3be 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/Cli.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/Cli.java @@ -1,4 +1,4 @@ -package com.opensoc.topologyhelpers; +package com.opensoc.helpers.topology; import java.io.File; diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/ErrorGenerator.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/ErrorGenerator.java similarity index 52% rename from opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/ErrorGenerator.java rename to opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/ErrorGenerator.java index c21205e894..97f0ba7aeb 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/ErrorGenerator.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/ErrorGenerator.java @@ -1,26 +1,36 @@ -package com.opensoc.topologyhelpers; +package com.opensoc.helpers.topology; import java.net.InetAddress; import java.net.UnknownHostException; +import org.apache.commons.lang.exception.ExceptionUtils; import org.json.simple.JSONObject; public class ErrorGenerator { - public static JSONObject generateErrorMessage(String message, String exception) + @SuppressWarnings("unchecked") + public static JSONObject generateErrorMessage(String message, Exception e) { JSONObject error_message = new JSONObject(); + /* + * Save full stack trace in object. + */ + String stackTrace = ExceptionUtils.getStackTrace(e); + + String exception = e.toString(); + error_message.put("time", System.currentTimeMillis()); try { error_message.put("hostname", InetAddress.getLocalHost().getHostName()); - } catch (UnknownHostException e) { + } catch (UnknownHostException ex) { // TODO Auto-generated catch block - e.printStackTrace(); + ex.printStackTrace(); } error_message.put("message", message); error_message.put("exception", exception); + error_message.put("stack", stackTrace); return error_message; } diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/SettingsLoader.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/SettingsLoader.java similarity index 80% rename from opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/SettingsLoader.java rename to opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/SettingsLoader.java index bb2a460694..261d4816bd 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/topologyhelpers/SettingsLoader.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/helpers/topology/SettingsLoader.java @@ -1,4 +1,4 @@ -package com.opensoc.topologyhelpers; +package com.opensoc.helpers.topology; import java.util.HashMap; import java.util.Iterator; @@ -15,6 +15,7 @@ public class SettingsLoader { + @SuppressWarnings("unchecked") public static JSONObject loadEnvironmentIdnetifier(String config_path) throws ConfigurationException { Configuration config = new PropertiesConfiguration(config_path); @@ -31,6 +32,7 @@ public static JSONObject loadEnvironmentIdnetifier(String config_path) return identifier; } + @SuppressWarnings("unchecked") public static JSONObject loadTopologyIdnetifier(String config_path) throws ConfigurationException { Configuration config = new PropertiesConfiguration(config_path); @@ -52,6 +54,7 @@ public static String generateTopologyName(JSONObject env, JSONObject topo) { + env.get("instance") + "_" + topo.get("topology") + "_" + topo.get("topology_instance")); } + @SuppressWarnings("unchecked") public static JSONObject generateAlertsIdentifier(JSONObject env, JSONObject topo) { JSONObject identifier = new JSONObject(); @@ -67,7 +70,7 @@ public static Map loadRegexAlerts(String config_path) alert_rules.setDelimiterParsingDisabled(true); alert_rules.load(config_path); - int number_of_rules = alert_rules.getList("rule.pattern").size(); + //int number_of_rules = alert_rules.getList("rule.pattern").size(); String[] patterns = alert_rules.getStringArray("rule.pattern"); String[] alerts = alert_rules.getStringArray("rule.alert"); @@ -115,4 +118,32 @@ public static void printConfigOptions(PropertiesConfiguration config, String pat } } + + public static void printOptionalSettings(Map settings) + { + for(String setting: settings.keySet()) + { + System.out.println("[OpenSOC] Optional Setting: " + setting + " -> " +settings.get(setting)); + } + + } + + public static Map getConfigOptions(PropertiesConfiguration config, String path_fragment) + { + Iterator itr = config.getKeys(); + Map settings = new HashMap(); + + while(itr.hasNext()) + { + String key = itr.next(); + + if(key.contains(path_fragment)) + { + String tmp_key = key.replace(path_fragment, ""); + settings.put(tmp_key, config.getString(key)); + } + } + + return settings; + } } diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/index/interfaces/IndexAdapter.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/index/interfaces/IndexAdapter.java index 1f883427f5..dfdfc8e2c0 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/index/interfaces/IndexAdapter.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/index/interfaces/IndexAdapter.java @@ -1,11 +1,15 @@ package com.opensoc.index.interfaces; +import java.util.Map; + import org.json.simple.JSONObject; public interface IndexAdapter { boolean initializeConnection(String ip, int port, String cluster_name, - String index_name, String document_name, int bulk) throws Exception; + String index_name, String document_name, int bulk, String date_format) throws Exception; int bulkIndex(JSONObject raw_message); + + void setOptionalSettings(Map settings); } diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParser.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParser.java index 7c88ae3e7d..a54f1ce7bd 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParser.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParser.java @@ -2,17 +2,20 @@ package com.opensoc.ise.parser; import java.io.*; import java.util.*; + import org.json.simple.*; /** * Basic ISE data parser generated by JavaCC. */ public class ISEParser implements Serializable, ISEParserConstants { - private boolean nativeNumbers = false; + // private boolean nativeNumbers = false; - public ISEParser() - { //do nothing - } + private static final long serialVersionUID = -2531656825360044979L; + + public ISEParser() + { //do nothing + } public ISEParser(String input) { @@ -29,7 +32,8 @@ public JSONObject parseObject() throws ParseException return toReturn; } - final public boolean ensureEOF() throws ParseException { + @SuppressWarnings("unused") +final public boolean ensureEOF() throws ParseException { switch (jj_nt.kind) { case COMMA: jj_consume_token(COMMA); @@ -43,7 +47,8 @@ final public boolean ensureEOF() throws ParseException { throw new Error("Missing return statement in function"); } - final public JSONObject innerMap() throws ParseException { + @SuppressWarnings({ "unchecked", "unused" }) +final public JSONObject innerMap() throws ParseException { final JSONObject json = new JSONObject(); String key; Object value; @@ -76,7 +81,8 @@ final public JSONObject innerMap() throws ParseException { throw new Error("Missing return statement in function"); } - final public JSONObject object() throws ParseException { + @SuppressWarnings({ "unused", "unchecked" }) +final public JSONObject object() throws ParseException { final JSONObject json = new JSONObject(); String key; Object value; @@ -105,7 +111,8 @@ final public JSONObject object() throws ParseException { throw new Error("Missing return statement in function"); } - final public String objectKey() throws ParseException { + @SuppressWarnings("unused") +final public String objectKey() throws ParseException { String k; k = string(); // System.out.println("key == " + k); @@ -113,7 +120,8 @@ final public String objectKey() throws ParseException { throw new Error("Missing return statement in function"); } - final public Object value() throws ParseException { + @SuppressWarnings({ "unused", "rawtypes" }) +final public Object value() throws ParseException { Object x; String eof = "EOF"; Map m = null; @@ -147,12 +155,14 @@ final public Object value() throws ParseException { throw new Error("Missing return statement in function"); } - final public String nullValue() throws ParseException { + @SuppressWarnings("unused") +final public String nullValue() throws ParseException { {if (true) return null;} throw new Error("Missing return statement in function"); } - final public String tagString() throws ParseException { + @SuppressWarnings("unused") +final public String tagString() throws ParseException { String output = "(tag=0)"; jj_consume_token(TAG); jj_consume_token(STRING_BODY); @@ -160,19 +170,22 @@ final public String tagString() throws ParseException { throw new Error("Missing return statement in function"); } - final public String blankValue() throws ParseException { + @SuppressWarnings("unused") +final public String blankValue() throws ParseException { {if (true) return null;} throw new Error("Missing return statement in function"); } - final public String string() throws ParseException { + @SuppressWarnings("unused") +final public String string() throws ParseException { String s; jj_consume_token(STRING_BODY); {if (true) return token.image.trim();} throw new Error("Missing return statement in function"); } - final public String braced_string() throws ParseException { + @SuppressWarnings("unused") +final public String braced_string() throws ParseException { String s; jj_consume_token(BRACED_STRING); // System.out.println("braced == " + token.image); @@ -471,7 +484,9 @@ private Token jj_consume_token(int kind) throws ParseException { throw generateParseException(); } - static private final class LookaheadSuccess extends java.lang.Error { } + static private final class LookaheadSuccess extends java.lang.Error { + + private static final long serialVersionUID = -5724812746511794505L; } final private LookaheadSuccess jj_ls = new LookaheadSuccess(); private boolean jj_scan_token(int kind) { if (jj_scanpos == jj_lastpos) { diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParserTokenManager.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParserTokenManager.java index adf9401788..9999452cf2 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParserTokenManager.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/ise/parser/ISEParserTokenManager.java @@ -1,8 +1,5 @@ /* Generated By:JavaCC: Do not edit this line. ISEParserTokenManager.java */ package com.opensoc.ise.parser; -import java.io.*; -import java.util.*; -import org.json.simple.*; /** Token Manager. */ class ISEParserTokenManager implements ISEParserConstants diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONEncoderHelper.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONEncoderHelper.java index 38ad375fc1..b388397abb 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONEncoderHelper.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONEncoderHelper.java @@ -19,6 +19,7 @@ import java.io.DataOutputStream; import java.io.IOException; import java.util.Iterator; + import org.apache.commons.configuration.Configuration; import org.json.simple.JSONObject; @@ -68,6 +69,7 @@ public static void putString(DataOutputStream data, String str) } + @SuppressWarnings({ "rawtypes", "unchecked" }) public static JSONObject getJSON(Configuration config) { JSONObject output = new JSONObject(); diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONKafkaSerializer.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONKafkaSerializer.java index 08f3b44413..c08444fdf0 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONKafkaSerializer.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/json/serialization/JSONKafkaSerializer.java @@ -17,30 +17,32 @@ package com.opensoc.json.serialization; +import static com.opensoc.json.serialization.JSONDecoderHelper.getObject; +import static com.opensoc.json.serialization.JSONEncoderHelper.putBoolean; +import static com.opensoc.json.serialization.JSONEncoderHelper.putNull; +import static com.opensoc.json.serialization.JSONEncoderHelper.putNumber; +import static com.opensoc.json.serialization.JSONEncoderHelper.putString; + import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.DataInputStream; import java.io.DataOutputStream; -import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; -import java.io.Reader; import java.util.Iterator; import java.util.Map; import java.util.Map.Entry; +import kafka.serializer.Decoder; +import kafka.serializer.Encoder; +import kafka.utils.VerifiableProperties; + import org.json.simple.JSONArray; import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; -import kafka.serializer.Decoder; -import kafka.serializer.Encoder; -import kafka.utils.VerifiableProperties; -import static com.opensoc.json.serialization.JSONEncoderHelper.*; -import static com.opensoc.json.serialization.JSONDecoderHelper.*; - /** * JSON Serailization class for kafka. Implements kafka Encoder and Decoder * String, JSONObject, Number, Boolean,JSONObject.NULL JSONArray diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/parser/interfaces/MessageParser.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/parser/interfaces/MessageParser.java index 700d3abebf..b71e4f9bdb 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/parser/interfaces/MessageParser.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/parser/interfaces/MessageParser.java @@ -5,6 +5,7 @@ public interface MessageParser { void initializeParser(); + void init(); JSONObject parse(byte[] raw_message); } diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PacketInfo.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PacketInfo.java index 151e3d3fa1..804387db13 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PacketInfo.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PacketInfo.java @@ -1,6 +1,7 @@ package com.opensoc.pcap; import java.text.MessageFormat; +import org.apache.log4j.Logger; import org.krakenapps.pcap.decoder.ip.Ipv4Packet; import org.krakenapps.pcap.decoder.tcp.TcpPacket; @@ -9,6 +10,9 @@ import org.krakenapps.pcap.packet.PacketHeader; import org.krakenapps.pcap.packet.PcapPacket; +import com.opensoc.pcap.Constants; +import com.opensoc.pcap.PcapUtils; + /** * The Class PacketInfo. * @@ -47,6 +51,9 @@ public class PacketInfo { /** The Constant udpHeaderJsonTemplateSB. */ private static final StringBuffer udpHeaderJsonTemplateSB = new StringBuffer(); + /** The Constant LOG. */ + private static final Logger LOG = Logger.getLogger(PacketInfo.class); + static { globalHeaderJsonTemplateSB.append("<\"global_header\":<\"pcap_id\":\"").append("{0}").append('"'); globalHeaderJsonTemplateSB.append(",\"inc_len\":").append("{1}"); @@ -231,6 +238,28 @@ public String getKey() { } + /** + * Gets the short key + * + * + * @return the short key + */ + public String getShortKey() { + int sourcePort = 0; + int destinationPort = 0; + if(Constants.PROTOCOL_UDP == ipv4Packet.getProtocol()) { + sourcePort = udpPacket.getSourcePort(); + destinationPort = udpPacket.getDestinationPort(); + } else if (Constants.PROTOCOL_TCP == ipv4Packet.getProtocol()) { + sourcePort = tcpPacket.getSourcePort(); + destinationPort = tcpPacket.getDestinationPort(); + } + + return PcapUtils.getShortSessionKey(ipv4Packet.getSourceAddress().getHostAddress(), ipv4Packet.getDestinationAddress().getHostAddress(), + ipv4Packet.getProtocol(), sourcePort, destinationPort); + + } + /** * Gets the json doc. * @@ -260,6 +289,7 @@ public String getJsonIndexDoc() { */ private String getJsonDocUsingSBAppend() { + StringBuffer jsonSb = new StringBuffer(1024); // global header @@ -373,29 +403,52 @@ private String getJsonDocUsingMessageFormat() { */ private String getJsonIndexDocUsingSBAppend() { - StringBuffer jsonSb = new StringBuffer(175); + Long ts_micro = getPacketTimeInNanos() / 1000L; + StringBuffer jsonSb = new StringBuffer(175); - jsonSb.append("{\"pcap_id\":\"").append(getKey()); + jsonSb.append("{\"pcap_id\":\"").append(getShortKey()); jsonSb.append("\",\"ip_protocol\":").append(ipv4Packet.getProtocol()); + jsonSb.append(",\"ip_id\":").append(ipv4Packet.getId()); + jsonSb.append(",\"frag_offset\":").append(ipv4Packet.getFragmentOffset()); + jsonSb.append(",\"ts_micro\":").append(ts_micro); + // tcp header if (tcpPacket != null) { - jsonSb.append(",\"src_addr\":\"").append(tcpPacket.getSourceAddress().getHostAddress()); - jsonSb.append("\",\"src_port\":").append(tcpPacket.getSourcePort()); - jsonSb.append(",\"dst_addr\":\"").append(tcpPacket.getDestinationAddress().getHostAddress()); - jsonSb.append("\",\"dst_port\":").append(tcpPacket.getDestinationPort()); + jsonSb.append(",\"ip_src_addr\":\"").append(tcpPacket.getSourceAddress().getHostAddress()); + jsonSb.append("\",\"ip_src_port\":").append(tcpPacket.getSourcePort()); + jsonSb.append(",\"ip_dst_addr\":\"").append(tcpPacket.getDestinationAddress().getHostAddress()); + jsonSb.append("\",\"ip_dst_port\":").append(tcpPacket.getDestinationPort()); } // udp headers if (udpPacket != null) { - jsonSb.append(",\"src_addr\":\"").append(udpPacket.getSource().getAddress().getHostAddress()); - jsonSb.append("\",\"src_port\":").append(udpPacket.getSourcePort()); - jsonSb.append(",\"dst_addr\":\"").append(udpPacket.getDestination().getAddress().getHostAddress()); - jsonSb.append("\",\"dst_port\":").append(udpPacket.getDestinationPort()); + jsonSb.append(",\"ip_src_addr\":\"").append(udpPacket.getSource().getAddress().getHostAddress()); + jsonSb.append("\",\"ip_src_port\":").append(udpPacket.getSourcePort()); + jsonSb.append(",\"ip_dst_addr\":\"").append(udpPacket.getDestination().getAddress().getHostAddress()); + jsonSb.append("\",\"ip_dst_port\":").append(udpPacket.getDestinationPort()); } jsonSb.append('}'); return jsonSb.toString(); } + + public long getPacketTimeInNanos() + { + if ( getGlobalHeader().getMagicNumber() == 0xa1b2c3d4 || getGlobalHeader().getMagicNumber() == 0xd4c3b2a1 ) + { + //Time is in micro assemble as nano + LOG.info("Times are in micro according to the magic number"); + return getPacketHeader().getTsSec() * 1000000000L + getPacketHeader().getTsUsec() * 1000L ; + } + else if ( getGlobalHeader().getMagicNumber() == 0xa1b23c4d || getGlobalHeader().getMagicNumber() == 0x4d3cb2a1 ) { + //Time is in nano assemble as nano + LOG.info("Times are in nano according to the magic number"); + return getPacketHeader().getTsSec() * 1000000000L + getPacketHeader().getTsUsec() ; + } + //Default assume time is in micro assemble as nano + LOG.warn("Unknown magic number. Defaulting to micro"); + return getPacketHeader().getTsSec() * 1000000000L + getPacketHeader().getTsUsec() * 1000L ; + } } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapByteOutputStream.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapByteOutputStream.java new file mode 100644 index 0000000000..8a5ad18801 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapByteOutputStream.java @@ -0,0 +1,288 @@ +// $codepro.audit.disable explicitThisUsage, lossOfPrecisionInCast +package com.opensoc.pcap; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.nio.BufferUnderflowException; +import java.util.ArrayList; +import java.util.List; + +import org.apache.log4j.Logger; +import org.krakenapps.pcap.PcapOutputStream; +import org.krakenapps.pcap.file.GlobalHeader; +import org.krakenapps.pcap.packet.PacketHeader; +import org.krakenapps.pcap.packet.PcapPacket; +import org.krakenapps.pcap.util.Buffer; + +// TODO: Auto-generated Javadoc +/** + * The Class PcapByteOutputStream. + * + * @author sheetal + * @version $Revision: 1.0 $ + */ +public class PcapByteOutputStream implements PcapOutputStream { + + /** The Constant LOG. */ + private static final Logger LOG = Logger + .getLogger(PcapByteOutputStream.class); + + /** The Constant MAX_CACHED_PACKET_NUMBER. */ + private static final int MAX_CACHED_PACKET_NUMBER = 1000; + + /** The cached packet num. */ + private int cachedPacketNum = 0; // NOPMD by sheetal on 1/29/14 2:34 PM + + /** The baos. */ + private ByteArrayOutputStream baos; // NOPMD by sheetal on 1/29/14 2:34 PM + + /** The list. */ + private List list; // NOPMD by sheetal on 1/29/14 2:34 PM + + /** + * Instantiates a new pcap byte output stream. + * + * @param baos + * the baos + */ + public PcapByteOutputStream(ByteArrayOutputStream baos) { + this.baos = baos; + list = new ArrayList(); + createGlobalHeader(); + } + + /** + * Instantiates a new pcap byte output stream. + * + * @param baos + * the baos + * @param header + * the header + */ + public PcapByteOutputStream(ByteArrayOutputStream baos, GlobalHeader header) { + this.baos = baos; + list = new ArrayList(); + copyGlobalHeader(header); + } + + /** + * Creates the global header. + */ + private void createGlobalHeader() { + /* magic number(swapped) */ + list.add((byte) 0xd4); + list.add((byte) 0xc3); + list.add((byte) 0xb2); + list.add((byte) 0xa1); + + /* major version number */ + list.add((byte) 0x02); + list.add((byte) 0x00); + + /* minor version number */ + list.add((byte) 0x04); + list.add((byte) 0x00); + + /* GMT to local correction */ + list.add((byte) 0x00); + list.add((byte) 0x00); + list.add((byte) 0x00); + list.add((byte) 0x00); + + /* accuracy of timestamps */ + list.add((byte) 0x00); + list.add((byte) 0x00); + list.add((byte) 0x00); + list.add((byte) 0x00); + + /* max length of captured packets, in octets */ + list.add((byte) 0xff); + list.add((byte) 0xff); + list.add((byte) 0x00); + list.add((byte) 0x00); + + /* data link type(ethernet) */ + list.add((byte) 0x01); + list.add((byte) 0x00); + list.add((byte) 0x00); + list.add((byte) 0x00); + } + + /** + * Copy global header. + * + * @param header + * the header + */ + private void copyGlobalHeader(GlobalHeader header) { + final byte[] magicNumber = intToByteArray(header.getMagicNumber()); + final byte[] majorVersion = shortToByteArray(header.getMajorVersion()); + final byte[] minorVersion = shortToByteArray(header.getMinorVersion()); + final byte[] zone = intToByteArray(header.getThiszone()); + final byte[] sigFigs = intToByteArray(header.getSigfigs()); + final byte[] snapLen = intToByteArray(header.getSnaplen()); + final byte[] network = intToByteArray(header.getNetwork()); + + list.add(magicNumber[0]); + list.add(magicNumber[1]); + list.add(magicNumber[2]); + list.add(magicNumber[3]); + + list.add(majorVersion[1]); + list.add(majorVersion[0]); + + list.add(minorVersion[1]); + list.add(minorVersion[0]); + + list.add(zone[3]); + list.add(zone[2]); + list.add(zone[1]); + list.add(zone[0]); + + list.add(sigFigs[3]); + list.add(sigFigs[2]); + list.add(sigFigs[1]); + list.add(sigFigs[0]); + + list.add(snapLen[3]); + list.add(snapLen[2]); + list.add(snapLen[1]); + list.add(snapLen[0]); + + list.add(network[3]); + list.add(network[2]); + list.add(network[1]); + list.add(network[0]); + } + + /* + * (non-Javadoc) + * + * @see org.krakenapps.pcap.PcapOutputStream#write(org.krakenapps.pcap.packet + * .PcapPacket) + */ + /** + * Method write. + * + * @param packet + * PcapPacket + * + * + * @throws IOException + * * @see org.krakenapps.pcap.PcapOutputStream#write(PcapPacket) * @see + * org.krakenapps.pcap.PcapOutputStream#write(PcapPacket) + */ + + public void write(PcapPacket packet) throws IOException { + PacketHeader packetHeader = packet.getPacketHeader(); + + int tsSec = packetHeader.getTsSec(); + int tsUsec = packetHeader.getTsUsec(); + int inclLen = packetHeader.getInclLen(); + int origLen = packetHeader.getOrigLen(); + + addInt(tsSec); + addInt(tsUsec); + addInt(inclLen); + addInt(origLen); + + Buffer payload = packet.getPacketData(); + + try { + payload.mark(); + while (true) { + list.add(payload.get()); + } + } catch (BufferUnderflowException e) { + //LOG.debug("Ignorable exception while writing packet", e); + payload.reset(); + } + + cachedPacketNum++; + if (cachedPacketNum == MAX_CACHED_PACKET_NUMBER) { + flush(); + } + } + + /** + * Adds the int. + * + * @param number + * the number + */ + private void addInt(int number) { + list.add((byte) (number & 0xff)); + list.add((byte) ((number & 0xff00) >> 8)); + list.add((byte) ((number & 0xff0000) >> 16)); + list.add((byte) ((number & 0xff000000) >> 24)); + } + + /** + * Int to byte array. + * + * @param number + * the number + * + * @return the byte[] + */ + private byte[] intToByteArray(int number) { + return new byte[] { (byte) (number >>> 24), (byte) (number >>> 16), + (byte) (number >>> 8), (byte) number }; + } + + /** + * Short to byte array. + * + * @param number + * the number + * + * @return the byte[] + */ + private byte[] shortToByteArray(short number) { + return new byte[] { (byte) (number >>> 8), (byte) number }; + } + + /* + * (non-Javadoc) + * + * @see org.krakenapps.pcap.PcapOutputStream#flush() + */ + /** + * Method flush. + * + * + * @throws IOException + * * @see org.krakenapps.pcap.PcapOutputStream#flush() * @see + * org.krakenapps.pcap.PcapOutputStream#flush() + */ + + public void flush() throws IOException { + byte[] fileBinary = new byte[list.size()]; + for (int i = 0; i < fileBinary.length; i++) { + fileBinary[i] = list.get(i); + } + + list.clear(); + baos.write(fileBinary); + cachedPacketNum = 0; + } + + /* + * (non-Javadoc) + * + * @see org.krakenapps.pcap.PcapOutputStream#close() + */ + /** + * Method close. + * + * + * @throws IOException + * * @see org.krakenapps.pcap.PcapOutputStream#close() * @see + * org.krakenapps.pcap.PcapOutputStream#close() + */ + + public void close() throws IOException { + flush(); + baos.close(); // $codepro.audit.disable closeInFinally + } +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapMerger.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapMerger.java new file mode 100644 index 0000000000..392523b709 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapMerger.java @@ -0,0 +1,245 @@ + package com.opensoc.pcap; + +import java.io.ByteArrayOutputStream; +import java.io.EOFException; +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; + +import org.apache.commons.io.FileUtils; +import org.apache.log4j.Logger; + +import org.krakenapps.pcap.packet.PcapPacket; +import org.krakenapps.pcap.file.GlobalHeader; + +// TODO: Auto-generated Javadoc +/** + * The Class PcapMerger. + * + * @author sheetal + * @version $Revision: 1.0 $ + */ +public final class PcapMerger { + + /** The Constant LOG. */ + private static final Logger LOG = Logger.getLogger(PcapMerger.class); + + /** The comparator for PcapPackets */ + private static PcapPacketComparator PCAP_PACKET_COMPARATOR = new PcapPacketComparator(); + + /** + * Instantiates a new pcap merger. + */ + private PcapMerger() { // $codepro.audit.disable emptyMethod + } + + /** + * Merge two pcap byte arrays. + * + * @param baos + * the baos + * @param pcaps + * the pcaps + * + * @throws IOException + * if there is no byte array, no access permission, or other io + * related problems. + */ + // public static void merge(byte[] to, byte[] from) throws IOException { + // PcapByteInputStream is = null; + // PcapByteOutputStream os = null; + // ByteArrayOutputStream baos = null; + // try { + // is = new PcapByteInputStream(from); + // baos = new ByteArrayOutputStream(); + // os = new PcapByteOutputStream(baos, is.getGlobalHeader()); + // + // writePacket(is, os); + // } finally { + // closeInput(is); + // if (baos != null) { + // baos.close(); + // } + // closeOutput(os); + // } + // } + + public static void merge(ByteArrayOutputStream baos, List pcaps) + throws IOException { + PcapByteInputStream is = null; + PcapByteOutputStream os = null; + ByteArrayOutputStream unsortedBaos = new ByteArrayOutputStream(); + + try { + int i = 1; + for (byte[] pcap : pcaps) { + is = new PcapByteInputStream(pcap); + if (i == 1) { + os = new PcapByteOutputStream(unsortedBaos, is.getGlobalHeader()); + } + + writePacket(is, os); + i++; + closeInput(is); + } + } finally { + if (unsortedBaos != null) { + unsortedBaos.close(); + } + closeOutput(os); + sort(baos, unsortedBaos.toByteArray()); + } + } + + /** + * Merge byte array1 with byte array2, and write to output byte array. It + * doesn't hurt original pcap dump byte arrays. + * + * @param baos + * the baos + * @param pcaps + * the pcaps + * + * @throws IOException + * if there are no source byte arrays, have no read and/or write + * permissions, or anything else. + */ + public static void merge(ByteArrayOutputStream baos, byte[]... pcaps) // $codepro.audit.disable + // overloadedMethods + throws IOException { + merge(baos, Arrays.asList(pcaps)); + + } + + /** + * Sort the potentially unsorted byte array according to the timestamp + * in the packet header + * + * @param unsortedBytes + * a byte array of a pcap file + * + * @return byte array of a pcap file with packets in cronological order + * + * @throws IOException + * if there are no source byte arrays, have no read and or write + * permission, or anything else. + */ + private static void sort(ByteArrayOutputStream baos, byte[] unsortedBytes) throws IOException { + PcapByteInputStream pcapIs = new PcapByteInputStream(unsortedBytes); + PcapByteOutputStream pcapOs = new PcapByteOutputStream(baos, pcapIs.getGlobalHeader()); + PcapPacket packet; + ArrayList packetList = new ArrayList(); + + try { + while (true) { + packet = pcapIs.getPacket(); + if (packet == null) + break; + packetList.add(packet); + LOG.debug("Presort packet: " + packet.getPacketHeader().toString()); + } + } catch (EOFException e) { + //LOG.debug("Ignoreable exception in sort", e); + } + + Collections.sort(packetList, PCAP_PACKET_COMPARATOR); + for (PcapPacket p : packetList) { + pcapOs.write(p); + LOG.debug("Postsort packet: " + p.getPacketHeader().toString()); + } + pcapOs.close(); + } + + /** + * Write packet. + * + * @param is + * the is + * @param os + * the os + * + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private static void writePacket(PcapByteInputStream is, + PcapByteOutputStream os) throws IOException { + PcapPacket packet = null; + try { + while (true) { + packet = is.getPacket(); + if (packet == null) { + break; + } + os.write(packet); + } + } catch (EOFException e) { + //LOG.debug("Ignorable exception in writePacket", e); + } + + } + + /** + * Close input. + * + * @param is + * the is + */ + private static void closeInput(PcapByteInputStream is) { + if (is == null) { + return; + } + try { + is.close(); // $codepro.audit.disable closeInFinally + } catch (IOException e) { + LOG.error("Failed to close input stream", e); + } + } + + /** + * Close output. + * + * @param os + * the os + */ + private static void closeOutput(PcapByteOutputStream os) { + if (os == null) { + return; + } + try { + os.close(); + } catch (IOException e) { + LOG.error("Failed to close output stream", e); + + } + } + + /** + * The main method. + * + * @param args + * the arguments + * + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static void main(String[] args) throws IOException { + byte[] b1 = FileUtils.readFileToByteArray(new File( + "/Users/sheetal/Downloads/constructedTcpDump.1.pcap")); + byte[] b2 = FileUtils.readFileToByteArray(new File( + "/Users/sheetal/Downloads/constructedTcpDump.2.pcap")); + byte[] b3 = FileUtils.readFileToByteArray(new File( + "/Users/sheetal/Downloads/constructedTcpDump.3.pcap")); + + ByteArrayOutputStream boas = new ByteArrayOutputStream(); // $codepro.audit.disable + // closeWhereCreated + PcapMerger.merge(boas, b1, b2, b3); + + FileUtils.writeByteArrayToFile(new File( + "/Users/sheetal/Downloads/constructedTcpDump.automerged.1.2.pcap"), + boas.toByteArray(), false); + + } +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapPacketComparator.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapPacketComparator.java new file mode 100644 index 0000000000..29a24146ff --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapPacketComparator.java @@ -0,0 +1,22 @@ +package com.opensoc.pcap; + +import java.util.Comparator; + +import org.apache.log4j.Logger; + +import org.krakenapps.pcap.packet.PcapPacket; + +public class PcapPacketComparator implements Comparator { + + /** The Constant LOG. */ + private static final Logger LOG = Logger.getLogger(PcapMerger.class); + + public int compare(PcapPacket p1, PcapPacket p2) { + + Long p1time = new Long(p1.getPacketHeader().getTsSec()) * 1000000L + new Long(p1.getPacketHeader().getTsUsec()); + Long p2time = new Long(p2.getPacketHeader().getTsSec()) * 1000000L + new Long(p2.getPacketHeader().getTsUsec()); + Long delta = p1time - p2time; + LOG.debug("p1time: " + p1time.toString() + " p2time: " + p2time.toString() + " delta: " + delta.toString()); + return delta.intValue(); + } +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapParser.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapParser.java new file mode 100644 index 0000000000..abc0873d88 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapParser.java @@ -0,0 +1,183 @@ +package com.opensoc.pcap; + +import java.io.EOFException; +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.io.FileUtils; +import org.apache.log4j.Logger; +import org.krakenapps.pcap.decoder.ethernet.EthernetDecoder; +import org.krakenapps.pcap.decoder.ethernet.EthernetType; +import org.krakenapps.pcap.decoder.ip.IpDecoder; +import org.krakenapps.pcap.decoder.ip.Ipv4Packet; +import org.krakenapps.pcap.decoder.tcp.TcpPacket; +import org.krakenapps.pcap.decoder.udp.UdpPacket; +import org.krakenapps.pcap.file.GlobalHeader; +import org.krakenapps.pcap.packet.PacketHeader; +import org.krakenapps.pcap.packet.PcapPacket; +import org.krakenapps.pcap.util.Buffer; + +// TODO: Auto-generated Javadoc +/** + * The Class PcapParser. + * + * @author sheetal + * @version $Revision: 1.0 $ + */ +public final class PcapParser { + + /** The Constant LOG. */ + private static final Logger LOG = Logger.getLogger(PcapParser.class); + + /** The ETHERNET_DECODER. */ + private static final EthernetDecoder ETHERNET_DECODER = new EthernetDecoder(); + + /** The ip decoder. */ + private static final IpDecoder IP_DECODER = new IpDecoder(); + + // /** The tcp decoder. */ + // private static final TcpDecoder TCP_DECODER = new TcpDecoder(new + // TcpPortProtocolMapper()); + // + // /** The udp decoder. */ + // private static final UdpDecoder UDP_DECODER = new UdpDecoder(new + // UdpPortProtocolMapper()); + + static { + // IP_DECODER.register(InternetProtocol.TCP, TCP_DECODER); + // IP_DECODER.register(InternetProtocol.UDP, UDP_DECODER); + ETHERNET_DECODER.register(EthernetType.IPV4, IP_DECODER); + } + + /** + * Instantiates a new pcap parser. + */ + private PcapParser() { // $codepro.audit.disable emptyMethod + + } + + /** + * Parses the. + * + * @param tcpdump + * the tcpdump + * @return the list * @throws IOException Signals that an I/O exception has + * occurred. * @throws IOException * @throws IOException * @throws + * IOException + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static List parse(byte[] tcpdump) throws IOException { + List packetInfoList = new ArrayList(); + + PcapByteInputStream pcapByteInputStream = new PcapByteInputStream(tcpdump); + + GlobalHeader globalHeader = pcapByteInputStream.getGlobalHeader(); + while (true) { + try + + { + PcapPacket packet = pcapByteInputStream.getPacket(); + // int packetCounter = 0; + // PacketHeader packetHeader = null; + // Ipv4Packet ipv4Packet = null; + TcpPacket tcpPacket = null; + UdpPacket udpPacket = null; + // Buffer packetDataBuffer = null; + int sourcePort = 0; + int destinationPort = 0; + + // LOG.trace("Got packet # " + ++packetCounter); + + // LOG.trace(packet.getPacketData()); + ETHERNET_DECODER.decode(packet); + + PacketHeader packetHeader = packet.getPacketHeader(); + Ipv4Packet ipv4Packet = Ipv4Packet.parse(packet.getPacketData()); + + if (ipv4Packet.getProtocol() == Constants.PROTOCOL_TCP) { + tcpPacket = TcpPacket.parse(ipv4Packet); + + } + + if (ipv4Packet.getProtocol() == Constants.PROTOCOL_UDP) { + + Buffer packetDataBuffer = ipv4Packet.getData(); + sourcePort = packetDataBuffer.getUnsignedShort(); + destinationPort = packetDataBuffer.getUnsignedShort(); + + udpPacket = new UdpPacket(ipv4Packet, sourcePort, destinationPort); + + udpPacket.setLength(packetDataBuffer.getUnsignedShort()); + udpPacket.setChecksum(packetDataBuffer.getUnsignedShort()); + packetDataBuffer.discardReadBytes(); + udpPacket.setData(packetDataBuffer); + } + + packetInfoList.add(new PacketInfo(globalHeader, packetHeader, packet, + ipv4Packet, tcpPacket, udpPacket)); + } catch (NegativeArraySizeException ignored) { + LOG.debug("Ignorable exception while parsing packet.", ignored); + } catch (EOFException eof) { // $codepro.audit.disable logExceptions + // Ignore exception and break + break; + } + } + return packetInfoList; + } + + /** + * The main method. + * + * @param args + * the arguments + * @throws IOException + * Signals that an I/O exception has occurred. + * @throws InterruptedException + * the interrupted exception + */ + public static void main(String[] args) throws IOException, + InterruptedException { + + double totalIterations = 1000000; + double parallelism = 64; + double targetEvents = 1000000; + + File fin = new File("/Users/sheetal/Downloads/udp.pcap"); + File fout = new File(fin.getAbsolutePath() + ".parsed"); + byte[] pcapBytes = FileUtils.readFileToByteArray(fin); + long startTime = System.currentTimeMillis(); + for (int i = 0; i < totalIterations; i++) { + List list = parse(pcapBytes); + + for (PacketInfo packetInfo : list) { + // FileUtils.writeStringToFile(fout, packetInfo.getJsonDoc(), true); + // FileUtils.writeStringToFile(fout, "\n", true); + // System.out.println(packetInfo.getJsonDoc()); + } + } + long endTime = System.currentTimeMillis(); + + System.out.println("Time taken to process " + totalIterations + " events :" + + (endTime - startTime) + " milliseconds"); + + System.out + .println("With parallelism of " + + parallelism + + " estimated time to process " + + targetEvents + + " events: " + + (((((endTime - startTime) / totalIterations) * targetEvents) / parallelism) / 1000) + + " seconds"); + System.out.println("With parallelism of " + parallelism + + " estimated # of events per second: " + + ((parallelism * 1000 * totalIterations) / (endTime - startTime)) + + " events"); + System.out.println("Expected Parallelism to process " + targetEvents + + " events in a second: " + + (targetEvents / ((1000 * totalIterations) / (endTime - startTime)))); + } + +} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapUtils.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapUtils.java index 8d06caa442..8f9520fbc3 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapUtils.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/PcapUtils.java @@ -280,6 +280,33 @@ public static String getSessionKey(String srcIp, String dstIp, int protocol, return sb.toString(); } + /** + * Gets the short session key. (5-tuple only) + * + * @param srcIp + * the src ip + * @param dstIp + * the dst ip + * @param protocol + * the protocol + * @param srcPort + * the src port + * @param dstPort + * the dst port + * @return the session key + */ + public static String getShortSessionKey(String srcIp, String dstIp, int protocol, + int srcPort, int dstPort) { + String keySeperator = "-"; + StringBuffer sb = new StringBuffer(40); + sb.append(convertIpv4IpToHex(srcIp)).append(keySeperator) + .append(convertIpv4IpToHex(dstIp)).append(keySeperator) + .append(protocol).append(keySeperator).append(srcPort) + .append(keySeperator).append(dstPort); + + return sb.toString(); + } + // public static String convertPortToHex(String portNumber) { // return convertPortToHex(Integer.valueOf(portNumber)); // diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/asdf.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/asdf.java deleted file mode 100644 index db2c2b2833..0000000000 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/pcap/asdf.java +++ /dev/null @@ -1,5 +0,0 @@ -package com.opensoc.pcap; - -public class asdf { - -} diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractConfigTest.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractConfigTest.java new file mode 100644 index 0000000000..7484e16d2b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractConfigTest.java @@ -0,0 +1,299 @@ + + + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.test; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileReader; +import java.net.URL; +import java.util.ArrayList; +import java.util.Map; + +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.PropertiesConfiguration; + +import com.fasterxml.jackson.databind.JsonNode; +import com.github.fge.jackson.JsonLoader; +import com.github.fge.jsonschema.core.report.ProcessingReport; +import com.github.fge.jsonschema.main.JsonSchemaFactory; +import com.github.fge.jsonschema.main.JsonValidator; +import com.opensoc.helpers.topology.SettingsLoader; + + /** + *

    + *
  • Title:
    • + *
  • Description: The class AbstractConfigTest is + * an abstract base class for implementing JUnit tests that need to use + * config to connect to ZooKeeper and HBase. The setup method will attempt to + * load a properties from a file, located in src/test/resources, + * with the same name as the class.
    • + *
  • Created: Oct 10, 2014
    • + *
+ * @version $Revision: 1.1 $ + */ +public class AbstractConfigTest extends AbstractTestContext{ + /** + * The configPath. + */ + protected String configPath=null; + + /** + * The configName. + */ + protected String configName=null; + + /** + * The config. + */ + private Configuration config=null; + + /** + * The settings. + */ + Map settings=null; + + /** + * The schemaJsonString. + */ + private String schemaJsonString = null; + /** + * Any Object for mavenMode + * @parameter + * expression="${mode}" + * default-value="local" + */ + private Object mode="local"; + + /** + * Constructs a new AbstractConfigTest instance. + * @throws Exception + */ + public AbstractConfigTest() throws Exception { + super.setUp(); + } + + /** + * Constructs a new AbstractTestContext instance. + * @param name the name of the test case. + */ + public AbstractConfigTest(String name) { + super(name); + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + protected void setUp(String configName) throws Exception { + super.setUp(); + this.setConfigPath("src/test/resources/config/"+getClass().getSimpleName()+".config"); + try { + this.setConfig(new PropertiesConfiguration(this.getConfigPath())); + + Map configOptions= SettingsLoader.getConfigOptions((PropertiesConfiguration)this.config, configName+"="); + this.setSettings(SettingsLoader.getConfigOptions((PropertiesConfiguration)this.config, configName + ".")); + this.getSettings().put(configName, (String) configOptions.get(configName)); + } catch (ConfigurationException e) { + fail("Config not found !!"+e); + e.printStackTrace(); + } + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#tearDown() + */ + @Override + protected void tearDown() throws Exception { + + } + + + /** + * validateJsonData + * @param jsonSchema + * @param jsonData + * @return + * @throws Exception + */ + + protected boolean validateJsonData(final String jsonSchema, final String jsonData) + throws Exception { + + final JsonNode d = JsonLoader.fromString(jsonData); + final JsonNode s = JsonLoader.fromString(jsonSchema); + + final JsonSchemaFactory factory = JsonSchemaFactory.byDefault(); + JsonValidator v = factory.getValidator(); + + ProcessingReport report = v.validate(s, d); + System.out.println(report); + + return report.toString().contains("success"); + } + + protected String readSchemaFromFile(URL schema_url) throws Exception { + BufferedReader br = new BufferedReader(new FileReader( + schema_url.getFile())); + String line; + StringBuilder sb = new StringBuilder(); + while ((line = br.readLine()) != null) { + System.out.println(line); + sb.append(line); + } + br.close(); + + String schema_string = sb.toString().replaceAll("\n", ""); + schema_string = schema_string.replaceAll(" ", ""); + + System.out.println("Read in schema: " + schema_string); + + return schema_string; + } + + protected String[] readTestDataFromFile(String test_data_url) throws Exception { + BufferedReader br = new BufferedReader(new FileReader( + new File(test_data_url))); + ArrayList inputDataLines = new ArrayList(); + + String line; + while ((line = br.readLine()) != null) { + System.out.println(line); + inputDataLines.add(line.toString().replaceAll("\n", "")); + } + br.close(); + String[] inputData = new String[inputDataLines.size()]; + inputData = inputDataLines.toArray(inputData); + + return inputData; + } + /** + * Skip Tests + */ + public boolean skipTests(Object mode){ + if(mode.toString().equals("local")){ + return true; + }else { + return false; + } + } + + /** + * Returns the mode. + * @return the mode. + */ + + public Object getMode() { + return mode; + } + + /** + * Sets the mode. + * @param mode the mode. + */ + + public void setMode(Object mode) { + + this.mode = mode; + } + + + /** + * @param readSchemaFromFile + */ + public void setSchemaJsonString(String schemaJsonString) { + this.schemaJsonString=schemaJsonString; + } + + + /** + * @return + */ + public String getSchemaJsonString() { + return this.schemaJsonString; + } + + /** + * Returns the configPath. + * @return the configPath. + */ + public String getConfigPath() { + return configPath; + } + + /** + * Sets the configPath. + * @param configPath the configPath. + */ + public void setConfigPath(String configPath) { + this.configPath = configPath; + } + /** + * Returns the config. + * @return the config. + */ + + public Configuration getConfig() { + return config; + } + + /** + * Sets the config. + * @param config the config. + */ + + public void setConfig(Configuration config) { + + this.config = config; + } + /** + * Returns the settings. + * @return the settings. + */ + + public Map getSettings() { + return settings; + } + + /** + * Sets the settings. + * @param settings the settings. + */ + + public void setSettings(Map settings) { + this.settings = settings; + } + /** + * Returns the configName. + * @return the configName. + */ + public String getConfigName() { + return configName; + } + + /** + * Sets the configName. + * @param configName the configName. + */ + public void setConfigName(String configName) { + this.configName = configName; + } +} + + diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractSchemaTest.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractSchemaTest.java new file mode 100644 index 0000000000..670d7f9c6d --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractSchemaTest.java @@ -0,0 +1,198 @@ + + + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.test; +import java.io.BufferedReader; +import java.io.FileReader; +import java.net.URL; + +import com.fasterxml.jackson.databind.JsonNode; +import com.github.fge.jackson.JsonLoader; +import com.github.fge.jsonschema.core.report.ProcessingReport; +import com.github.fge.jsonschema.main.JsonSchemaFactory; +import com.github.fge.jsonschema.main.JsonValidator; + + /** + *
    + *
  • Title:
    • + *
  • Description: The class AbstractSchemaTest is + * an abstract base class for implementing JUnit tests that need to load a + * Json Schema. The setup method will attempt to + * load a properties from a file, located in src/test/resources, + * with the same name as the class.
    • + *
  • Created: Aug 7, 2014
    • + *
+ * @version $Revision: 1.1 $ + */ +public class AbstractSchemaTest extends AbstractConfigTest{ + + + /** + * The schemaJsonString. + */ + private String schemaJsonString = null; + /** + * Any Object for mavenMode + * @parameter + * expression="${mode}" + * default-value="local" + */ + private Object mode="local"; + + /** + * Constructs a new AbstractTestContext instance. + * @throws Exception + */ + public AbstractSchemaTest() throws Exception { + super.setUp(); + } + + /** + * Constructs a new AbstractTestContext instance. + * @param name the name of the test case. + */ + public AbstractSchemaTest(String name) { + super(name); + try{ + if(System.getProperty("mode")!=null){ + setMode(System.getProperty("mode") ); + }else + { + setMode("local"); + } + }catch(Exception ex){ + setMode("local"); + } + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + @Override + protected void setUp() throws Exception { + super.setUp(); + + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#tearDown() + */ + @Override + protected void tearDown() throws Exception { + + } + + + /** + * validateJsonData + * @param jsonSchema + * @param jsonData + * @return + * @throws Exception + */ + + protected boolean validateJsonData(final String jsonSchema, final String jsonData) + throws Exception { + + final JsonNode d = JsonLoader.fromString(jsonData); + final JsonNode s = JsonLoader.fromString(jsonSchema); + + final JsonSchemaFactory factory = JsonSchemaFactory.byDefault(); + JsonValidator v = factory.getValidator(); + + ProcessingReport report = v.validate(s, d); + System.out.println(report); + + return report.toString().contains("success"); + } + + protected String readSchemaFromFile(URL schema_url) throws Exception { + BufferedReader br = new BufferedReader(new FileReader( + schema_url.getFile())); + String line; + StringBuilder sb = new StringBuilder(); + while ((line = br.readLine()) != null) { + System.out.println(line); + sb.append(line); + } + br.close(); + + String schema_string = sb.toString().replaceAll("\n", ""); + schema_string = schema_string.replaceAll(" ", ""); + + System.out.println("Read in schema: " + schema_string); + + return schema_string; + + } + + /** + * Skip Tests + */ + public boolean skipTests(Object mode){ + if(mode.toString().equals("local")){ + return true; + }else { + return false; + } + } + + /** + * Returns the mode. + * @return the mode. + */ + + public Object getMode() { + return mode; + } + + /** + * Sets the mode. + * @param mode the mode. + */ + + public void setMode(Object mode) { + + this.mode = mode; + } + + + /** + + * @param readSchemaFromFile + */ + + public void setSchemaJsonString(String schemaJsonString) { + this.schemaJsonString=schemaJsonString; + } + + + /** + + * @return + */ + + public String getSchemaJsonString() { + return this.schemaJsonString; + } + +} + + diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractTestContext.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractTestContext.java index 7f7f34a721..ea5b04fb6d 100644 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractTestContext.java +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/AbstractTestContext.java @@ -52,7 +52,7 @@ public class AbstractTestContext extends TestCase{ * Any Object for mavenMode * @parameter * expression="${mode}" - * default-value="local" + * default-value="global" */ private Object mode="local"; diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/ISEParserTest.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/ISEParserTest.java deleted file mode 100644 index 47061b6dbd..0000000000 --- a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/test/ISEParserTest.java +++ /dev/null @@ -1,27 +0,0 @@ -package com.opensoc.test; - -import java.io.BufferedReader; -import java.io.DataInputStream; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.StringReader; -import java.util.Iterator; -import java.util.Map; -import java.util.Map.Entry; - -import org.json.simple.JSONObject; - -import com.opensoc.ise.parser.ISEParser; -import com.opensoc.ise.parser.ParseException; - -public class ISEParserTest { - - public static void main(String[] args) throws ParseException, IOException { - } - -} - - diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/BasicTldExtractor.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/BasicTldExtractor.java new file mode 100644 index 0000000000..2dbcd955ba --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/BasicTldExtractor.java @@ -0,0 +1,137 @@ +package com.opensoc.tldextractor; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.Serializable; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Comparator; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class BasicTldExtractor implements Serializable { + private static final long serialVersionUID = -7440226111118873815L; + private StringBuilder sb = new StringBuilder(); + + private Pattern pattern; + + /** + * The inputFile. + */ + private String inputFile ="effective_tld_names.dat"; + + public BasicTldExtractor(String filePath) { + this.inputFile=filePath; + this.init(); + } + + public BasicTldExtractor() { + this.init(); + } + + private void init(){ + try { + ArrayList terms = new ArrayList(); + + + BufferedReader br = new BufferedReader(new InputStreamReader( + getClass().getClassLoader().getResourceAsStream(inputFile))); + String s = null; + while ((s = br.readLine()) != null) { + s = s.trim(); + if (s.length() == 0 || s.startsWith("//") || s.startsWith("!")) + continue; + terms.add(s); + } + Collections.sort(terms, new StringLengthComparator()); + for (String t : terms) + add(t); + compile(); + br.close(); + } catch (IOException e) { + throw new IllegalStateException(e); + } + } + protected void add(String s) { + s = s.replace(".", "\\."); + s = "\\." + s; + if (s.startsWith("*")) { + s = s.replace("*", ".+"); + sb.append(s).append("|"); + } else { + sb.append(s).append("|"); + } + } + + public void compile() { + if (sb.length() > 0) + sb.deleteCharAt(sb.length() - 1); + sb.insert(0, "[^.]+?("); + sb.append(")$"); + pattern = Pattern.compile(sb.toString()); + sb = null; + } + + public String extract2LD(String host) { + Matcher m = pattern.matcher(host); + if (m.find()) { + return m.group(0); + } + return null; + } + + public String extractTLD(String host) { + Matcher m = pattern.matcher(host); + if (m.find()) { + return m.group(1); + } + return null; + } + + public static class StringLengthComparator implements Comparator { + public int compare(String s1, String s2) { + if (s1.length() > s2.length()) + return -1; + if (s1.length() < s2.length()) + return 1; + return 0; + } + } + /** + * Returns the sb. + * @return the sb. + */ + + public StringBuilder getSb() { + return sb; + } + + /** + * Sets the sb. + * @param sb the sb. + */ + + public void setSb(StringBuilder sb) { + + this.sb = sb; + } + /** + * Returns the inputFile. + * @return the inputFile. + */ + + public String getInputFile() { + return inputFile; + } + + /** + * Sets the inputFile. + * @param inputFile the inputFile. + */ + + public void setInputFile(String inputFile) { + + this.inputFile = inputFile; + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/test/BasicTldExtractorTest.java b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/test/BasicTldExtractorTest.java new file mode 100644 index 0000000000..03cc065655 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/main/java/com/opensoc/tldextractor/test/BasicTldExtractorTest.java @@ -0,0 +1,125 @@ + + + /* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.tldextractor.test; + +import com.opensoc.test.AbstractConfigTest; +import com.opensoc.tldextractor.BasicTldExtractor; + + + /** + *
    + *
  • Title: Basic TLD Extractor Test
    • + *
  • Description: Basic TLD Extractor class test
    • + *
  • Created: Feb 26, 2015
    • + *
+ * @author $Author: $ + * @version $Revision: 1.1 $ + */ +public class BasicTldExtractorTest extends AbstractConfigTest { + /** + * The tldExtractor. + */ + + private BasicTldExtractor tldExtractor=null; + + /** + * Constructs a new BasicTldExtractorTest instance. + * @param name + */ + + public BasicTldExtractorTest(String name) { + super(name); + } + + /** + + * @throws java.lang.Exception + */ + protected static void setUpBeforeClass() throws Exception { + } + + /** + + * @throws java.lang.Exception + */ + protected static void tearDownAfterClass() throws Exception { + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + + protected void setUp() throws Exception { + super.setUp("com.opensoc.tldextractor.test.BasicTldExtractorTest"); + this.tldExtractor=new BasicTldExtractor(this.getConfig().getString("logFile")); + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#tearDown() + */ + + protected void tearDown() throws Exception { + super.tearDown(); + } + + /** + * Test method for {@link com.opensoc.tldextractor.BasicTldExtractor#BasicTldExtractor()}. + */ + public void testBasicTldExtractor() { + assertNotNull(this.tldExtractor); + } + + /** + * Test method for {@link com.opensoc.tldextractor.BasicTldExtractor#extract2LD(java.lang.String)}. + */ + public void testExtract2LD() { + //fail("Not yet implemented"); + } + + /** + * Test method for {@link com.opensoc.tldextractor.BasicTldExtractor#extractTLD(java.lang.String)}. + */ + public void testExtractTLD() + { + String result = this.tldExtractor.extractTLD("cisco.com"); + System.out.println("result ="+result); + } + /** + * Returns the tldExtractor. + * @return the tldExtractor. + */ + + public BasicTldExtractor getTldExtractor() { + return tldExtractor; + } + + /** + * Sets the tldExtractor. + * @param tldExtractor the tldExtractor. + */ + + public void setTldExtractor(BasicTldExtractor tldExtractor) { + + this.tldExtractor = tldExtractor; + } + +} + diff --git a/opensoc-streaming/OpenSOC-Common/src/test/resources/config/BasicTldExtractorTest.config b/opensoc-streaming/OpenSOC-Common/src/test/resources/config/BasicTldExtractorTest.config new file mode 100644 index 0000000000..6b3dc05f02 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/test/resources/config/BasicTldExtractorTest.config @@ -0,0 +1,2 @@ +#BasicTldExtractorConfig +logFile=effective_tld_names.dat diff --git a/opensoc-streaming/OpenSOC-Common/src/test/resources/effective_tld_names.dat b/opensoc-streaming/OpenSOC-Common/src/test/resources/effective_tld_names.dat new file mode 100644 index 0000000000..36e5d4c1c8 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Common/src/test/resources/effective_tld_names.dat @@ -0,0 +1,9719 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// ===BEGIN ICANN DOMAINS=== + +// ac : http://en.wikipedia.org/wiki/.ac +ac +com.ac +edu.ac +gov.ac +net.ac +mil.ac +org.ac + +// ad : http://en.wikipedia.org/wiki/.ad +ad +nom.ad + +// ae : http://en.wikipedia.org/wiki/.ae +// see also: "Domain Name Eligibility Policy" at http://www.aeda.ae/eng/aepolicy.php +ae +co.ae +net.ae +org.ae +sch.ae +ac.ae +gov.ae +mil.ae + +// aero : see http://www.information.aero/index.php?id=66 +aero +accident-investigation.aero +accident-prevention.aero +aerobatic.aero +aeroclub.aero +aerodrome.aero +agents.aero +aircraft.aero +airline.aero +airport.aero +air-surveillance.aero +airtraffic.aero +air-traffic-control.aero +ambulance.aero +amusement.aero +association.aero +author.aero +ballooning.aero +broker.aero +caa.aero +cargo.aero +catering.aero +certification.aero +championship.aero +charter.aero +civilaviation.aero +club.aero +conference.aero +consultant.aero +consulting.aero +control.aero +council.aero +crew.aero +design.aero +dgca.aero +educator.aero +emergency.aero +engine.aero +engineer.aero +entertainment.aero +equipment.aero +exchange.aero +express.aero +federation.aero +flight.aero +freight.aero +fuel.aero +gliding.aero +government.aero +groundhandling.aero +group.aero +hanggliding.aero +homebuilt.aero +insurance.aero +journal.aero +journalist.aero +leasing.aero +logistics.aero +magazine.aero +maintenance.aero +marketplace.aero +media.aero +microlight.aero +modelling.aero +navigation.aero +parachuting.aero +paragliding.aero +passenger-association.aero +pilot.aero +press.aero +production.aero +recreation.aero +repbody.aero +res.aero +research.aero +rotorcraft.aero +safety.aero +scientist.aero +services.aero +show.aero +skydiving.aero +software.aero +student.aero +taxi.aero +trader.aero +trading.aero +trainer.aero +union.aero +workinggroup.aero +works.aero + +// af : http://www.nic.af/help.jsp +af +gov.af +com.af +org.af +net.af +edu.af + +// ag : http://www.nic.ag/prices.htm +ag +com.ag +org.ag +net.ag +co.ag +nom.ag + +// ai : http://nic.com.ai/ +ai +off.ai +com.ai +net.ai +org.ai + +// al : http://www.ert.gov.al/ert_alb/faq_det.html?Id=31 +al +com.al +edu.al +gov.al +mil.al +net.al +org.al + +// am : http://en.wikipedia.org/wiki/.am +am + +// an : http://www.una.an/an_domreg/default.asp +an +com.an +net.an +org.an +edu.an + +// ao : http://en.wikipedia.org/wiki/.ao +// http://www.dns.ao/REGISTR.DOC +ao +ed.ao +gv.ao +og.ao +co.ao +pb.ao +it.ao + +// aq : http://en.wikipedia.org/wiki/.aq +aq + +// ar : https://nic.ar/normativa-vigente.xhtml +ar +com.ar +edu.ar +gob.ar +gov.ar +int.ar +mil.ar +net.ar +org.ar +tur.ar + +// arpa : http://en.wikipedia.org/wiki/.arpa +// Confirmed by registry 2008-06-18 +arpa +e164.arpa +in-addr.arpa +ip6.arpa +iris.arpa +uri.arpa +urn.arpa + +// as : http://en.wikipedia.org/wiki/.as +as +gov.as + +// asia : http://en.wikipedia.org/wiki/.asia +asia + +// at : http://en.wikipedia.org/wiki/.at +// Confirmed by registry 2008-06-17 +at +ac.at +co.at +gv.at +or.at + +// au : http://en.wikipedia.org/wiki/.au +// http://www.auda.org.au/ +au +// 2LDs +com.au +net.au +org.au +edu.au +gov.au +asn.au +id.au +// Historic 2LDs (closed to new registration, but sites still exist) +info.au +conf.au +oz.au +// CGDNs - http://www.cgdn.org.au/ +act.au +nsw.au +nt.au +qld.au +sa.au +tas.au +vic.au +wa.au +// 3LDs +act.edu.au +nsw.edu.au +nt.edu.au +qld.edu.au +sa.edu.au +tas.edu.au +vic.edu.au +wa.edu.au +// act.gov.au Bug 984824 - Removed at request of Greg Tankard +// nsw.gov.au Bug 547985 - Removed at request of +// nt.gov.au Bug 940478 - Removed at request of Greg Connors +qld.gov.au +sa.gov.au +tas.gov.au +vic.gov.au +wa.gov.au + +// aw : http://en.wikipedia.org/wiki/.aw +aw +com.aw + +// ax : http://en.wikipedia.org/wiki/.ax +ax + +// az : http://en.wikipedia.org/wiki/.az +az +com.az +net.az +int.az +gov.az +org.az +edu.az +info.az +pp.az +mil.az +name.az +pro.az +biz.az + +// ba : http://en.wikipedia.org/wiki/.ba +ba +org.ba +net.ba +edu.ba +gov.ba +mil.ba +unsa.ba +unbi.ba +co.ba +com.ba +rs.ba + +// bb : http://en.wikipedia.org/wiki/.bb +bb +biz.bb +co.bb +com.bb +edu.bb +gov.bb +info.bb +net.bb +org.bb +store.bb +tv.bb + +// bd : http://en.wikipedia.org/wiki/.bd +*.bd + +// be : http://en.wikipedia.org/wiki/.be +// Confirmed by registry 2008-06-08 +be +ac.be + +// bf : http://en.wikipedia.org/wiki/.bf +bf +gov.bf + +// bg : http://en.wikipedia.org/wiki/.bg +// https://www.register.bg/user/static/rules/en/index.html +bg +a.bg +b.bg +c.bg +d.bg +e.bg +f.bg +g.bg +h.bg +i.bg +j.bg +k.bg +l.bg +m.bg +n.bg +o.bg +p.bg +q.bg +r.bg +s.bg +t.bg +u.bg +v.bg +w.bg +x.bg +y.bg +z.bg +0.bg +1.bg +2.bg +3.bg +4.bg +5.bg +6.bg +7.bg +8.bg +9.bg + +// bh : http://en.wikipedia.org/wiki/.bh +bh +com.bh +edu.bh +net.bh +org.bh +gov.bh + +// bi : http://en.wikipedia.org/wiki/.bi +// http://whois.nic.bi/ +bi +co.bi +com.bi +edu.bi +or.bi +org.bi + +// biz : http://en.wikipedia.org/wiki/.biz +biz + +// bj : http://en.wikipedia.org/wiki/.bj +bj +asso.bj +barreau.bj +gouv.bj + +// bm : http://www.bermudanic.bm/dnr-text.txt +bm +com.bm +edu.bm +gov.bm +net.bm +org.bm + +// bn : http://en.wikipedia.org/wiki/.bn +*.bn + +// bo : http://www.nic.bo/ +bo +com.bo +edu.bo +gov.bo +gob.bo +int.bo +org.bo +net.bo +mil.bo +tv.bo + +// br : http://registro.br/dominio/categoria.html +// Submitted by registry 2014-08-11 +br +adm.br +adv.br +agr.br +am.br +arq.br +art.br +ato.br +b.br +bio.br +blog.br +bmd.br +cim.br +cng.br +cnt.br +com.br +coop.br +ecn.br +eco.br +edu.br +emp.br +eng.br +esp.br +etc.br +eti.br +far.br +flog.br +fm.br +fnd.br +fot.br +fst.br +g12.br +ggf.br +gov.br +imb.br +ind.br +inf.br +jor.br +jus.br +leg.br +lel.br +mat.br +med.br +mil.br +mp.br +mus.br +net.br +*.nom.br +not.br +ntr.br +odo.br +org.br +ppg.br +pro.br +psc.br +psi.br +qsl.br +radio.br +rec.br +slg.br +srv.br +taxi.br +teo.br +tmp.br +trd.br +tur.br +tv.br +vet.br +vlog.br +wiki.br +zlg.br + +// bs : http://www.nic.bs/rules.html +bs +com.bs +net.bs +org.bs +edu.bs +gov.bs + +// bt : http://en.wikipedia.org/wiki/.bt +bt +com.bt +edu.bt +gov.bt +net.bt +org.bt + +// bv : No registrations at this time. +// Submitted by registry 2006-06-16 +bv + +// bw : http://en.wikipedia.org/wiki/.bw +// http://www.gobin.info/domainname/bw.doc +// list of other 2nd level tlds ? +bw +co.bw +org.bw + +// by : http://en.wikipedia.org/wiki/.by +// http://tld.by/rules_2006_en.html +// list of other 2nd level tlds ? +by +gov.by +mil.by +// Official information does not indicate that com.by is a reserved +// second-level domain, but it's being used as one (see www.google.com.by and +// www.yahoo.com.by, for example), so we list it here for safety's sake. +com.by + +// http://hoster.by/ +of.by + +// bz : http://en.wikipedia.org/wiki/.bz +// http://www.belizenic.bz/ +bz +com.bz +net.bz +org.bz +edu.bz +gov.bz + +// ca : http://en.wikipedia.org/wiki/.ca +ca +// ca geographical names +ab.ca +bc.ca +mb.ca +nb.ca +nf.ca +nl.ca +ns.ca +nt.ca +nu.ca +on.ca +pe.ca +qc.ca +sk.ca +yk.ca +// gc.ca: http://en.wikipedia.org/wiki/.gc.ca +// see also: http://registry.gc.ca/en/SubdomainFAQ +gc.ca + +// cat : http://en.wikipedia.org/wiki/.cat +cat + +// cc : http://en.wikipedia.org/wiki/.cc +cc + +// cd : http://en.wikipedia.org/wiki/.cd +// see also: https://www.nic.cd/domain/insertDomain_2.jsp?act=1 +cd +gov.cd + +// cf : http://en.wikipedia.org/wiki/.cf +cf + +// cg : http://en.wikipedia.org/wiki/.cg +cg + +// ch : http://en.wikipedia.org/wiki/.ch +ch + +// ci : http://en.wikipedia.org/wiki/.ci +// http://www.nic.ci/index.php?page=charte +ci +org.ci +or.ci +com.ci +co.ci +edu.ci +ed.ci +ac.ci +net.ci +go.ci +asso.ci +aéroport.ci +int.ci +presse.ci +md.ci +gouv.ci + +// ck : http://en.wikipedia.org/wiki/.ck +*.ck +!www.ck + +// cl : http://en.wikipedia.org/wiki/.cl +cl +gov.cl +gob.cl +co.cl +mil.cl + +// cm : http://en.wikipedia.org/wiki/.cm plus bug 981927 +cm +co.cm +com.cm +gov.cm +net.cm + +// cn : http://en.wikipedia.org/wiki/.cn +// Submitted by registry 2008-06-11 +cn +ac.cn +com.cn +edu.cn +gov.cn +net.cn +org.cn +mil.cn +公司.cn +网络.cn +網絡.cn +// cn geographic names +ah.cn +bj.cn +cq.cn +fj.cn +gd.cn +gs.cn +gz.cn +gx.cn +ha.cn +hb.cn +he.cn +hi.cn +hl.cn +hn.cn +jl.cn +js.cn +jx.cn +ln.cn +nm.cn +nx.cn +qh.cn +sc.cn +sd.cn +sh.cn +sn.cn +sx.cn +tj.cn +xj.cn +xz.cn +yn.cn +zj.cn +hk.cn +mo.cn +tw.cn + +// co : http://en.wikipedia.org/wiki/.co +// Submitted by registry 2008-06-11 +co +arts.co +com.co +edu.co +firm.co +gov.co +info.co +int.co +mil.co +net.co +nom.co +org.co +rec.co +web.co + +// com : http://en.wikipedia.org/wiki/.com +com + +// coop : http://en.wikipedia.org/wiki/.coop +coop + +// cr : http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do +cr +ac.cr +co.cr +ed.cr +fi.cr +go.cr +or.cr +sa.cr + +// cu : http://en.wikipedia.org/wiki/.cu +cu +com.cu +edu.cu +org.cu +net.cu +gov.cu +inf.cu + +// cv : http://en.wikipedia.org/wiki/.cv +cv + +// cw : http://www.una.cw/cw_registry/ +// Confirmed by registry 2013-03-26 +cw +com.cw +edu.cw +net.cw +org.cw + +// cx : http://en.wikipedia.org/wiki/.cx +// list of other 2nd level tlds ? +cx +gov.cx + +// cy : http://en.wikipedia.org/wiki/.cy +*.cy + +// cz : http://en.wikipedia.org/wiki/.cz +cz + +// de : http://en.wikipedia.org/wiki/.de +// Confirmed by registry (with technical +// reservations) 2008-07-01 +de + +// dj : http://en.wikipedia.org/wiki/.dj +dj + +// dk : http://en.wikipedia.org/wiki/.dk +// Confirmed by registry 2008-06-17 +dk + +// dm : http://en.wikipedia.org/wiki/.dm +dm +com.dm +net.dm +org.dm +edu.dm +gov.dm + +// do : http://en.wikipedia.org/wiki/.do +do +art.do +com.do +edu.do +gob.do +gov.do +mil.do +net.do +org.do +sld.do +web.do + +// dz : http://en.wikipedia.org/wiki/.dz +dz +com.dz +org.dz +net.dz +gov.dz +edu.dz +asso.dz +pol.dz +art.dz + +// ec : http://www.nic.ec/reg/paso1.asp +// Submitted by registry 2008-07-04 +ec +com.ec +info.ec +net.ec +fin.ec +k12.ec +med.ec +pro.ec +org.ec +edu.ec +gov.ec +gob.ec +mil.ec + +// edu : http://en.wikipedia.org/wiki/.edu +edu + +// ee : http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B +ee +edu.ee +gov.ee +riik.ee +lib.ee +med.ee +com.ee +pri.ee +aip.ee +org.ee +fie.ee + +// eg : http://en.wikipedia.org/wiki/.eg +eg +com.eg +edu.eg +eun.eg +gov.eg +mil.eg +name.eg +net.eg +org.eg +sci.eg + +// er : http://en.wikipedia.org/wiki/.er +*.er + +// es : https://www.nic.es/site_ingles/ingles/dominios/index.html +es +com.es +nom.es +org.es +gob.es +edu.es + +// et : http://en.wikipedia.org/wiki/.et +et +com.et +gov.et +org.et +edu.et +biz.et +name.et +info.et + +// eu : http://en.wikipedia.org/wiki/.eu +eu + +// fi : http://en.wikipedia.org/wiki/.fi +fi +// aland.fi : http://en.wikipedia.org/wiki/.ax +// This domain is being phased out in favor of .ax. As there are still many +// domains under aland.fi, we still keep it on the list until aland.fi is +// completely removed. +// TODO: Check for updates (expected to be phased out around Q1/2009) +aland.fi + +// fj : http://en.wikipedia.org/wiki/.fj +*.fj + +// fk : http://en.wikipedia.org/wiki/.fk +*.fk + +// fm : http://en.wikipedia.org/wiki/.fm +fm + +// fo : http://en.wikipedia.org/wiki/.fo +fo + +// fr : http://www.afnic.fr/ +// domaines descriptifs : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-descriptifs +fr +com.fr +asso.fr +nom.fr +prd.fr +presse.fr +tm.fr +// domaines sectoriels : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-sectoriels +aeroport.fr +assedic.fr +avocat.fr +avoues.fr +cci.fr +chambagri.fr +chirurgiens-dentistes.fr +experts-comptables.fr +geometre-expert.fr +gouv.fr +greta.fr +huissier-justice.fr +medecin.fr +notaires.fr +pharmacien.fr +port.fr +veterinaire.fr + +// ga : http://en.wikipedia.org/wiki/.ga +ga + +// gb : This registry is effectively dormant +// Submitted by registry 2008-06-12 +gb + +// gd : http://en.wikipedia.org/wiki/.gd +gd + +// ge : http://www.nic.net.ge/policy_en.pdf +ge +com.ge +edu.ge +gov.ge +org.ge +mil.ge +net.ge +pvt.ge + +// gf : http://en.wikipedia.org/wiki/.gf +gf + +// gg : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +gg +co.gg +net.gg +org.gg + +// gh : http://en.wikipedia.org/wiki/.gh +// see also: http://www.nic.gh/reg_now.php +// Although domains directly at second level are not possible at the moment, +// they have been possible for some time and may come back. +gh +com.gh +edu.gh +gov.gh +org.gh +mil.gh + +// gi : http://www.nic.gi/rules.html +gi +com.gi +ltd.gi +gov.gi +mod.gi +edu.gi +org.gi + +// gl : http://en.wikipedia.org/wiki/.gl +// http://nic.gl +gl + +// gm : http://www.nic.gm/htmlpages%5Cgm-policy.htm +gm + +// gn : http://psg.com/dns/gn/gn.txt +// Submitted by registry 2008-06-17 +gn +ac.gn +com.gn +edu.gn +gov.gn +org.gn +net.gn + +// gov : http://en.wikipedia.org/wiki/.gov +gov + +// gp : http://www.nic.gp/index.php?lang=en +gp +com.gp +net.gp +mobi.gp +edu.gp +org.gp +asso.gp + +// gq : http://en.wikipedia.org/wiki/.gq +gq + +// gr : https://grweb.ics.forth.gr/english/1617-B-2005.html +// Submitted by registry 2008-06-09 +gr +com.gr +edu.gr +net.gr +org.gr +gov.gr + +// gs : http://en.wikipedia.org/wiki/.gs +gs + +// gt : http://www.gt/politicas_de_registro.html +gt +com.gt +edu.gt +gob.gt +ind.gt +mil.gt +net.gt +org.gt + +// gu : http://gadao.gov.gu/registration.txt +*.gu + +// gw : http://en.wikipedia.org/wiki/.gw +gw + +// gy : http://en.wikipedia.org/wiki/.gy +// http://registry.gy/ +gy +co.gy +com.gy +net.gy + +// hk : https://www.hkdnr.hk +// Submitted by registry 2008-06-11 +hk +com.hk +edu.hk +gov.hk +idv.hk +net.hk +org.hk +公司.hk +教育.hk +敎育.hk +政府.hk +個人.hk +个人.hk +箇人.hk +網络.hk +网络.hk +组織.hk +網絡.hk +网絡.hk +组织.hk +組織.hk +組织.hk + +// hm : http://en.wikipedia.org/wiki/.hm +hm + +// hn : http://www.nic.hn/politicas/ps02,,05.html +hn +com.hn +edu.hn +org.hn +net.hn +mil.hn +gob.hn + +// hr : http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf +hr +iz.hr +from.hr +name.hr +com.hr + +// ht : http://www.nic.ht/info/charte.cfm +ht +com.ht +shop.ht +firm.ht +info.ht +adult.ht +net.ht +pro.ht +org.ht +med.ht +art.ht +coop.ht +pol.ht +asso.ht +edu.ht +rel.ht +gouv.ht +perso.ht + +// hu : http://www.domain.hu/domain/English/sld.html +// Confirmed by registry 2008-06-12 +hu +co.hu +info.hu +org.hu +priv.hu +sport.hu +tm.hu +2000.hu +agrar.hu +bolt.hu +casino.hu +city.hu +erotica.hu +erotika.hu +film.hu +forum.hu +games.hu +hotel.hu +ingatlan.hu +jogasz.hu +konyvelo.hu +lakas.hu +media.hu +news.hu +reklam.hu +sex.hu +shop.hu +suli.hu +szex.hu +tozsde.hu +utazas.hu +video.hu + +// id : https://register.pandi.or.id/ +id +ac.id +biz.id +co.id +desa.id +go.id +mil.id +my.id +net.id +or.id +sch.id +web.id + +// ie : http://en.wikipedia.org/wiki/.ie +ie +gov.ie + +// il : http://en.wikipedia.org/wiki/.il +*.il + +// im : https://www.nic.im/ +// Submitted by registry 2013-11-15 +im +ac.im +co.im +com.im +ltd.co.im +net.im +org.im +plc.co.im +tt.im +tv.im + +// in : http://en.wikipedia.org/wiki/.in +// see also: https://registry.in/Policies +// Please note, that nic.in is not an offical eTLD, but used by most +// government institutions. +in +co.in +firm.in +net.in +org.in +gen.in +ind.in +nic.in +ac.in +edu.in +res.in +gov.in +mil.in + +// info : http://en.wikipedia.org/wiki/.info +info + +// int : http://en.wikipedia.org/wiki/.int +// Confirmed by registry 2008-06-18 +int +eu.int + +// io : http://www.nic.io/rules.html +// list of other 2nd level tlds ? +io +com.io + +// iq : http://www.cmc.iq/english/iq/iqregister1.htm +iq +gov.iq +edu.iq +mil.iq +com.iq +org.iq +net.iq + +// ir : http://www.nic.ir/Terms_and_Conditions_ir,_Appendix_1_Domain_Rules +// Also see http://www.nic.ir/Internationalized_Domain_Names +// Two .ir entries added at request of , 2010-04-16 +ir +ac.ir +co.ir +gov.ir +id.ir +net.ir +org.ir +sch.ir +// xn--mgba3a4f16a.ir (.ir, Persian YEH) +ایران.ir +// xn--mgba3a4fra.ir (.ir, Arabic YEH) +ايران.ir + +// is : http://www.isnic.is/domain/rules.php +// Confirmed by registry 2008-12-06 +is +net.is +com.is +edu.is +gov.is +org.is +int.is + +// it : http://en.wikipedia.org/wiki/.it +it +gov.it +edu.it +// Reserved geo-names: +// http://www.nic.it/documenti/regolamenti-e-linee-guida/regolamento-assegnazione-versione-6.0.pdf +// There is also a list of reserved geo-names corresponding to Italian municipalities +// http://www.nic.it/documenti/appendice-c.pdf, but it is not included here. +// Regions +abr.it +abruzzo.it +aosta-valley.it +aostavalley.it +bas.it +basilicata.it +cal.it +calabria.it +cam.it +campania.it +emilia-romagna.it +emiliaromagna.it +emr.it +friuli-v-giulia.it +friuli-ve-giulia.it +friuli-vegiulia.it +friuli-venezia-giulia.it +friuli-veneziagiulia.it +friuli-vgiulia.it +friuliv-giulia.it +friulive-giulia.it +friulivegiulia.it +friulivenezia-giulia.it +friuliveneziagiulia.it +friulivgiulia.it +fvg.it +laz.it +lazio.it +lig.it +liguria.it +lom.it +lombardia.it +lombardy.it +lucania.it +mar.it +marche.it +mol.it +molise.it +piedmont.it +piemonte.it +pmn.it +pug.it +puglia.it +sar.it +sardegna.it +sardinia.it +sic.it +sicilia.it +sicily.it +taa.it +tos.it +toscana.it +trentino-a-adige.it +trentino-aadige.it +trentino-alto-adige.it +trentino-altoadige.it +trentino-s-tirol.it +trentino-stirol.it +trentino-sud-tirol.it +trentino-sudtirol.it +trentino-sued-tirol.it +trentino-suedtirol.it +trentinoa-adige.it +trentinoaadige.it +trentinoalto-adige.it +trentinoaltoadige.it +trentinos-tirol.it +trentinostirol.it +trentinosud-tirol.it +trentinosudtirol.it +trentinosued-tirol.it +trentinosuedtirol.it +tuscany.it +umb.it +umbria.it +val-d-aosta.it +val-daosta.it +vald-aosta.it +valdaosta.it +valle-aosta.it +valle-d-aosta.it +valle-daosta.it +valleaosta.it +valled-aosta.it +valledaosta.it +vallee-aoste.it +valleeaoste.it +vao.it +vda.it +ven.it +veneto.it +// Provinces +ag.it +agrigento.it +al.it +alessandria.it +alto-adige.it +altoadige.it +an.it +ancona.it +andria-barletta-trani.it +andria-trani-barletta.it +andriabarlettatrani.it +andriatranibarletta.it +ao.it +aosta.it +aoste.it +ap.it +aq.it +aquila.it +ar.it +arezzo.it +ascoli-piceno.it +ascolipiceno.it +asti.it +at.it +av.it +avellino.it +ba.it +balsan.it +bari.it +barletta-trani-andria.it +barlettatraniandria.it +belluno.it +benevento.it +bergamo.it +bg.it +bi.it +biella.it +bl.it +bn.it +bo.it +bologna.it +bolzano.it +bozen.it +br.it +brescia.it +brindisi.it +bs.it +bt.it +bz.it +ca.it +cagliari.it +caltanissetta.it +campidano-medio.it +campidanomedio.it +campobasso.it +carbonia-iglesias.it +carboniaiglesias.it +carrara-massa.it +carraramassa.it +caserta.it +catania.it +catanzaro.it +cb.it +ce.it +cesena-forli.it +cesenaforli.it +ch.it +chieti.it +ci.it +cl.it +cn.it +co.it +como.it +cosenza.it +cr.it +cremona.it +crotone.it +cs.it +ct.it +cuneo.it +cz.it +dell-ogliastra.it +dellogliastra.it +en.it +enna.it +fc.it +fe.it +fermo.it +ferrara.it +fg.it +fi.it +firenze.it +florence.it +fm.it +foggia.it +forli-cesena.it +forlicesena.it +fr.it +frosinone.it +ge.it +genoa.it +genova.it +go.it +gorizia.it +gr.it +grosseto.it +iglesias-carbonia.it +iglesiascarbonia.it +im.it +imperia.it +is.it +isernia.it +kr.it +la-spezia.it +laquila.it +laspezia.it +latina.it +lc.it +le.it +lecce.it +lecco.it +li.it +livorno.it +lo.it +lodi.it +lt.it +lu.it +lucca.it +macerata.it +mantova.it +massa-carrara.it +massacarrara.it +matera.it +mb.it +mc.it +me.it +medio-campidano.it +mediocampidano.it +messina.it +mi.it +milan.it +milano.it +mn.it +mo.it +modena.it +monza-brianza.it +monza-e-della-brianza.it +monza.it +monzabrianza.it +monzaebrianza.it +monzaedellabrianza.it +ms.it +mt.it +na.it +naples.it +napoli.it +no.it +novara.it +nu.it +nuoro.it +og.it +ogliastra.it +olbia-tempio.it +olbiatempio.it +or.it +oristano.it +ot.it +pa.it +padova.it +padua.it +palermo.it +parma.it +pavia.it +pc.it +pd.it +pe.it +perugia.it +pesaro-urbino.it +pesarourbino.it +pescara.it +pg.it +pi.it +piacenza.it +pisa.it +pistoia.it +pn.it +po.it +pordenone.it +potenza.it +pr.it +prato.it +pt.it +pu.it +pv.it +pz.it +ra.it +ragusa.it +ravenna.it +rc.it +re.it +reggio-calabria.it +reggio-emilia.it +reggiocalabria.it +reggioemilia.it +rg.it +ri.it +rieti.it +rimini.it +rm.it +rn.it +ro.it +roma.it +rome.it +rovigo.it +sa.it +salerno.it +sassari.it +savona.it +si.it +siena.it +siracusa.it +so.it +sondrio.it +sp.it +sr.it +ss.it +suedtirol.it +sv.it +ta.it +taranto.it +te.it +tempio-olbia.it +tempioolbia.it +teramo.it +terni.it +tn.it +to.it +torino.it +tp.it +tr.it +trani-andria-barletta.it +trani-barletta-andria.it +traniandriabarletta.it +tranibarlettaandria.it +trapani.it +trentino.it +trento.it +treviso.it +trieste.it +ts.it +turin.it +tv.it +ud.it +udine.it +urbino-pesaro.it +urbinopesaro.it +va.it +varese.it +vb.it +vc.it +ve.it +venezia.it +venice.it +verbania.it +vercelli.it +verona.it +vi.it +vibo-valentia.it +vibovalentia.it +vicenza.it +viterbo.it +vr.it +vs.it +vt.it +vv.it + +// je : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +je +co.je +net.je +org.je + +// jm : http://www.com.jm/register.html +*.jm + +// jo : http://www.dns.jo/Registration_policy.aspx +jo +com.jo +org.jo +net.jo +edu.jo +sch.jo +gov.jo +mil.jo +name.jo + +// jobs : http://en.wikipedia.org/wiki/.jobs +jobs + +// jp : http://en.wikipedia.org/wiki/.jp +// http://jprs.co.jp/en/jpdomain.html +// Submitted by registry 2014-10-30 +jp +// jp organizational type names +ac.jp +ad.jp +co.jp +ed.jp +go.jp +gr.jp +lg.jp +ne.jp +or.jp +// jp prefecture type names +aichi.jp +akita.jp +aomori.jp +chiba.jp +ehime.jp +fukui.jp +fukuoka.jp +fukushima.jp +gifu.jp +gunma.jp +hiroshima.jp +hokkaido.jp +hyogo.jp +ibaraki.jp +ishikawa.jp +iwate.jp +kagawa.jp +kagoshima.jp +kanagawa.jp +kochi.jp +kumamoto.jp +kyoto.jp +mie.jp +miyagi.jp +miyazaki.jp +nagano.jp +nagasaki.jp +nara.jp +niigata.jp +oita.jp +okayama.jp +okinawa.jp +osaka.jp +saga.jp +saitama.jp +shiga.jp +shimane.jp +shizuoka.jp +tochigi.jp +tokushima.jp +tokyo.jp +tottori.jp +toyama.jp +wakayama.jp +yamagata.jp +yamaguchi.jp +yamanashi.jp +栃木.jp +愛知.jp +愛媛.jp +兵庫.jp +熊本.jp +茨城.jp +北海道.jp +千葉.jp +和歌山.jp +長崎.jp +長野.jp +新潟.jp +青森.jp +静岡.jp +東京.jp +石川.jp +埼玉.jp +三重.jp +京都.jp +佐賀.jp +大分.jp +大阪.jp +奈良.jp +宮城.jp +宮崎.jp +富山.jp +山口.jp +山形.jp +山梨.jp +岩手.jp +岐阜.jp +岡山.jp +島根.jp +広島.jp +徳島.jp +沖縄.jp +滋賀.jp +神奈川.jp +福井.jp +福岡.jp +福島.jp +秋田.jp +群馬.jp +香川.jp +高知.jp +鳥取.jp +鹿児島.jp +// jp geographic type names +// http://jprs.jp/doc/rule/saisoku-1.html +*.kawasaki.jp +*.kitakyushu.jp +*.kobe.jp +*.nagoya.jp +*.sapporo.jp +*.sendai.jp +*.yokohama.jp +!city.kawasaki.jp +!city.kitakyushu.jp +!city.kobe.jp +!city.nagoya.jp +!city.sapporo.jp +!city.sendai.jp +!city.yokohama.jp +// 4th level registration +aisai.aichi.jp +ama.aichi.jp +anjo.aichi.jp +asuke.aichi.jp +chiryu.aichi.jp +chita.aichi.jp +fuso.aichi.jp +gamagori.aichi.jp +handa.aichi.jp +hazu.aichi.jp +hekinan.aichi.jp +higashiura.aichi.jp +ichinomiya.aichi.jp +inazawa.aichi.jp +inuyama.aichi.jp +isshiki.aichi.jp +iwakura.aichi.jp +kanie.aichi.jp +kariya.aichi.jp +kasugai.aichi.jp +kira.aichi.jp +kiyosu.aichi.jp +komaki.aichi.jp +konan.aichi.jp +kota.aichi.jp +mihama.aichi.jp +miyoshi.aichi.jp +nishio.aichi.jp +nisshin.aichi.jp +obu.aichi.jp +oguchi.aichi.jp +oharu.aichi.jp +okazaki.aichi.jp +owariasahi.aichi.jp +seto.aichi.jp +shikatsu.aichi.jp +shinshiro.aichi.jp +shitara.aichi.jp +tahara.aichi.jp +takahama.aichi.jp +tobishima.aichi.jp +toei.aichi.jp +togo.aichi.jp +tokai.aichi.jp +tokoname.aichi.jp +toyoake.aichi.jp +toyohashi.aichi.jp +toyokawa.aichi.jp +toyone.aichi.jp +toyota.aichi.jp +tsushima.aichi.jp +yatomi.aichi.jp +akita.akita.jp +daisen.akita.jp +fujisato.akita.jp +gojome.akita.jp +hachirogata.akita.jp +happou.akita.jp +higashinaruse.akita.jp +honjo.akita.jp +honjyo.akita.jp +ikawa.akita.jp +kamikoani.akita.jp +kamioka.akita.jp +katagami.akita.jp +kazuno.akita.jp +kitaakita.akita.jp +kosaka.akita.jp +kyowa.akita.jp +misato.akita.jp +mitane.akita.jp +moriyoshi.akita.jp +nikaho.akita.jp +noshiro.akita.jp +odate.akita.jp +oga.akita.jp +ogata.akita.jp +semboku.akita.jp +yokote.akita.jp +yurihonjo.akita.jp +aomori.aomori.jp +gonohe.aomori.jp +hachinohe.aomori.jp +hashikami.aomori.jp +hiranai.aomori.jp +hirosaki.aomori.jp +itayanagi.aomori.jp +kuroishi.aomori.jp +misawa.aomori.jp +mutsu.aomori.jp +nakadomari.aomori.jp +noheji.aomori.jp +oirase.aomori.jp +owani.aomori.jp +rokunohe.aomori.jp +sannohe.aomori.jp +shichinohe.aomori.jp +shingo.aomori.jp +takko.aomori.jp +towada.aomori.jp +tsugaru.aomori.jp +tsuruta.aomori.jp +abiko.chiba.jp +asahi.chiba.jp +chonan.chiba.jp +chosei.chiba.jp +choshi.chiba.jp +chuo.chiba.jp +funabashi.chiba.jp +futtsu.chiba.jp +hanamigawa.chiba.jp +ichihara.chiba.jp +ichikawa.chiba.jp +ichinomiya.chiba.jp +inzai.chiba.jp +isumi.chiba.jp +kamagaya.chiba.jp +kamogawa.chiba.jp +kashiwa.chiba.jp +katori.chiba.jp +katsuura.chiba.jp +kimitsu.chiba.jp +kisarazu.chiba.jp +kozaki.chiba.jp +kujukuri.chiba.jp +kyonan.chiba.jp +matsudo.chiba.jp +midori.chiba.jp +mihama.chiba.jp +minamiboso.chiba.jp +mobara.chiba.jp +mutsuzawa.chiba.jp +nagara.chiba.jp +nagareyama.chiba.jp +narashino.chiba.jp +narita.chiba.jp +noda.chiba.jp +oamishirasato.chiba.jp +omigawa.chiba.jp +onjuku.chiba.jp +otaki.chiba.jp +sakae.chiba.jp +sakura.chiba.jp +shimofusa.chiba.jp +shirako.chiba.jp +shiroi.chiba.jp +shisui.chiba.jp +sodegaura.chiba.jp +sosa.chiba.jp +tako.chiba.jp +tateyama.chiba.jp +togane.chiba.jp +tohnosho.chiba.jp +tomisato.chiba.jp +urayasu.chiba.jp +yachimata.chiba.jp +yachiyo.chiba.jp +yokaichiba.chiba.jp +yokoshibahikari.chiba.jp +yotsukaido.chiba.jp +ainan.ehime.jp +honai.ehime.jp +ikata.ehime.jp +imabari.ehime.jp +iyo.ehime.jp +kamijima.ehime.jp +kihoku.ehime.jp +kumakogen.ehime.jp +masaki.ehime.jp +matsuno.ehime.jp +matsuyama.ehime.jp +namikata.ehime.jp +niihama.ehime.jp +ozu.ehime.jp +saijo.ehime.jp +seiyo.ehime.jp +shikokuchuo.ehime.jp +tobe.ehime.jp +toon.ehime.jp +uchiko.ehime.jp +uwajima.ehime.jp +yawatahama.ehime.jp +echizen.fukui.jp +eiheiji.fukui.jp +fukui.fukui.jp +ikeda.fukui.jp +katsuyama.fukui.jp +mihama.fukui.jp +minamiechizen.fukui.jp +obama.fukui.jp +ohi.fukui.jp +ono.fukui.jp +sabae.fukui.jp +sakai.fukui.jp +takahama.fukui.jp +tsuruga.fukui.jp +wakasa.fukui.jp +ashiya.fukuoka.jp +buzen.fukuoka.jp +chikugo.fukuoka.jp +chikuho.fukuoka.jp +chikujo.fukuoka.jp +chikushino.fukuoka.jp +chikuzen.fukuoka.jp +chuo.fukuoka.jp +dazaifu.fukuoka.jp +fukuchi.fukuoka.jp +hakata.fukuoka.jp +higashi.fukuoka.jp +hirokawa.fukuoka.jp +hisayama.fukuoka.jp +iizuka.fukuoka.jp +inatsuki.fukuoka.jp +kaho.fukuoka.jp +kasuga.fukuoka.jp +kasuya.fukuoka.jp +kawara.fukuoka.jp +keisen.fukuoka.jp +koga.fukuoka.jp +kurate.fukuoka.jp +kurogi.fukuoka.jp +kurume.fukuoka.jp +minami.fukuoka.jp +miyako.fukuoka.jp +miyama.fukuoka.jp +miyawaka.fukuoka.jp +mizumaki.fukuoka.jp +munakata.fukuoka.jp +nakagawa.fukuoka.jp +nakama.fukuoka.jp +nishi.fukuoka.jp +nogata.fukuoka.jp +ogori.fukuoka.jp +okagaki.fukuoka.jp +okawa.fukuoka.jp +oki.fukuoka.jp +omuta.fukuoka.jp +onga.fukuoka.jp +onojo.fukuoka.jp +oto.fukuoka.jp +saigawa.fukuoka.jp +sasaguri.fukuoka.jp +shingu.fukuoka.jp +shinyoshitomi.fukuoka.jp +shonai.fukuoka.jp +soeda.fukuoka.jp +sue.fukuoka.jp +tachiarai.fukuoka.jp +tagawa.fukuoka.jp +takata.fukuoka.jp +toho.fukuoka.jp +toyotsu.fukuoka.jp +tsuiki.fukuoka.jp +ukiha.fukuoka.jp +umi.fukuoka.jp +usui.fukuoka.jp +yamada.fukuoka.jp +yame.fukuoka.jp +yanagawa.fukuoka.jp +yukuhashi.fukuoka.jp +aizubange.fukushima.jp +aizumisato.fukushima.jp +aizuwakamatsu.fukushima.jp +asakawa.fukushima.jp +bandai.fukushima.jp +date.fukushima.jp +fukushima.fukushima.jp +furudono.fukushima.jp +futaba.fukushima.jp +hanawa.fukushima.jp +higashi.fukushima.jp +hirata.fukushima.jp +hirono.fukushima.jp +iitate.fukushima.jp +inawashiro.fukushima.jp +ishikawa.fukushima.jp +iwaki.fukushima.jp +izumizaki.fukushima.jp +kagamiishi.fukushima.jp +kaneyama.fukushima.jp +kawamata.fukushima.jp +kitakata.fukushima.jp +kitashiobara.fukushima.jp +koori.fukushima.jp +koriyama.fukushima.jp +kunimi.fukushima.jp +miharu.fukushima.jp +mishima.fukushima.jp +namie.fukushima.jp +nango.fukushima.jp +nishiaizu.fukushima.jp +nishigo.fukushima.jp +okuma.fukushima.jp +omotego.fukushima.jp +ono.fukushima.jp +otama.fukushima.jp +samegawa.fukushima.jp +shimogo.fukushima.jp +shirakawa.fukushima.jp +showa.fukushima.jp +soma.fukushima.jp +sukagawa.fukushima.jp +taishin.fukushima.jp +tamakawa.fukushima.jp +tanagura.fukushima.jp +tenei.fukushima.jp +yabuki.fukushima.jp +yamato.fukushima.jp +yamatsuri.fukushima.jp +yanaizu.fukushima.jp +yugawa.fukushima.jp +anpachi.gifu.jp +ena.gifu.jp +gifu.gifu.jp +ginan.gifu.jp +godo.gifu.jp +gujo.gifu.jp +hashima.gifu.jp +hichiso.gifu.jp +hida.gifu.jp +higashishirakawa.gifu.jp +ibigawa.gifu.jp +ikeda.gifu.jp +kakamigahara.gifu.jp +kani.gifu.jp +kasahara.gifu.jp +kasamatsu.gifu.jp +kawaue.gifu.jp +kitagata.gifu.jp +mino.gifu.jp +minokamo.gifu.jp +mitake.gifu.jp +mizunami.gifu.jp +motosu.gifu.jp +nakatsugawa.gifu.jp +ogaki.gifu.jp +sakahogi.gifu.jp +seki.gifu.jp +sekigahara.gifu.jp +shirakawa.gifu.jp +tajimi.gifu.jp +takayama.gifu.jp +tarui.gifu.jp +toki.gifu.jp +tomika.gifu.jp +wanouchi.gifu.jp +yamagata.gifu.jp +yaotsu.gifu.jp +yoro.gifu.jp +annaka.gunma.jp +chiyoda.gunma.jp +fujioka.gunma.jp +higashiagatsuma.gunma.jp +isesaki.gunma.jp +itakura.gunma.jp +kanna.gunma.jp +kanra.gunma.jp +katashina.gunma.jp +kawaba.gunma.jp +kiryu.gunma.jp +kusatsu.gunma.jp +maebashi.gunma.jp +meiwa.gunma.jp +midori.gunma.jp +minakami.gunma.jp +naganohara.gunma.jp +nakanojo.gunma.jp +nanmoku.gunma.jp +numata.gunma.jp +oizumi.gunma.jp +ora.gunma.jp +ota.gunma.jp +shibukawa.gunma.jp +shimonita.gunma.jp +shinto.gunma.jp +showa.gunma.jp +takasaki.gunma.jp +takayama.gunma.jp +tamamura.gunma.jp +tatebayashi.gunma.jp +tomioka.gunma.jp +tsukiyono.gunma.jp +tsumagoi.gunma.jp +ueno.gunma.jp +yoshioka.gunma.jp +asaminami.hiroshima.jp +daiwa.hiroshima.jp +etajima.hiroshima.jp +fuchu.hiroshima.jp +fukuyama.hiroshima.jp +hatsukaichi.hiroshima.jp +higashihiroshima.hiroshima.jp +hongo.hiroshima.jp +jinsekikogen.hiroshima.jp +kaita.hiroshima.jp +kui.hiroshima.jp +kumano.hiroshima.jp +kure.hiroshima.jp +mihara.hiroshima.jp +miyoshi.hiroshima.jp +naka.hiroshima.jp +onomichi.hiroshima.jp +osakikamijima.hiroshima.jp +otake.hiroshima.jp +saka.hiroshima.jp +sera.hiroshima.jp +seranishi.hiroshima.jp +shinichi.hiroshima.jp +shobara.hiroshima.jp +takehara.hiroshima.jp +abashiri.hokkaido.jp +abira.hokkaido.jp +aibetsu.hokkaido.jp +akabira.hokkaido.jp +akkeshi.hokkaido.jp +asahikawa.hokkaido.jp +ashibetsu.hokkaido.jp +ashoro.hokkaido.jp +assabu.hokkaido.jp +atsuma.hokkaido.jp +bibai.hokkaido.jp +biei.hokkaido.jp +bifuka.hokkaido.jp +bihoro.hokkaido.jp +biratori.hokkaido.jp +chippubetsu.hokkaido.jp +chitose.hokkaido.jp +date.hokkaido.jp +ebetsu.hokkaido.jp +embetsu.hokkaido.jp +eniwa.hokkaido.jp +erimo.hokkaido.jp +esan.hokkaido.jp +esashi.hokkaido.jp +fukagawa.hokkaido.jp +fukushima.hokkaido.jp +furano.hokkaido.jp +furubira.hokkaido.jp +haboro.hokkaido.jp +hakodate.hokkaido.jp +hamatonbetsu.hokkaido.jp +hidaka.hokkaido.jp +higashikagura.hokkaido.jp +higashikawa.hokkaido.jp +hiroo.hokkaido.jp +hokuryu.hokkaido.jp +hokuto.hokkaido.jp +honbetsu.hokkaido.jp +horokanai.hokkaido.jp +horonobe.hokkaido.jp +ikeda.hokkaido.jp +imakane.hokkaido.jp +ishikari.hokkaido.jp +iwamizawa.hokkaido.jp +iwanai.hokkaido.jp +kamifurano.hokkaido.jp +kamikawa.hokkaido.jp +kamishihoro.hokkaido.jp +kamisunagawa.hokkaido.jp +kamoenai.hokkaido.jp +kayabe.hokkaido.jp +kembuchi.hokkaido.jp +kikonai.hokkaido.jp +kimobetsu.hokkaido.jp +kitahiroshima.hokkaido.jp +kitami.hokkaido.jp +kiyosato.hokkaido.jp +koshimizu.hokkaido.jp +kunneppu.hokkaido.jp +kuriyama.hokkaido.jp +kuromatsunai.hokkaido.jp +kushiro.hokkaido.jp +kutchan.hokkaido.jp +kyowa.hokkaido.jp +mashike.hokkaido.jp +matsumae.hokkaido.jp +mikasa.hokkaido.jp +minamifurano.hokkaido.jp +mombetsu.hokkaido.jp +moseushi.hokkaido.jp +mukawa.hokkaido.jp +muroran.hokkaido.jp +naie.hokkaido.jp +nakagawa.hokkaido.jp +nakasatsunai.hokkaido.jp +nakatombetsu.hokkaido.jp +nanae.hokkaido.jp +nanporo.hokkaido.jp +nayoro.hokkaido.jp +nemuro.hokkaido.jp +niikappu.hokkaido.jp +niki.hokkaido.jp +nishiokoppe.hokkaido.jp +noboribetsu.hokkaido.jp +numata.hokkaido.jp +obihiro.hokkaido.jp +obira.hokkaido.jp +oketo.hokkaido.jp +okoppe.hokkaido.jp +otaru.hokkaido.jp +otobe.hokkaido.jp +otofuke.hokkaido.jp +otoineppu.hokkaido.jp +oumu.hokkaido.jp +ozora.hokkaido.jp +pippu.hokkaido.jp +rankoshi.hokkaido.jp +rebun.hokkaido.jp +rikubetsu.hokkaido.jp +rishiri.hokkaido.jp +rishirifuji.hokkaido.jp +saroma.hokkaido.jp +sarufutsu.hokkaido.jp +shakotan.hokkaido.jp +shari.hokkaido.jp +shibecha.hokkaido.jp +shibetsu.hokkaido.jp +shikabe.hokkaido.jp +shikaoi.hokkaido.jp +shimamaki.hokkaido.jp +shimizu.hokkaido.jp +shimokawa.hokkaido.jp +shinshinotsu.hokkaido.jp +shintoku.hokkaido.jp +shiranuka.hokkaido.jp +shiraoi.hokkaido.jp +shiriuchi.hokkaido.jp +sobetsu.hokkaido.jp +sunagawa.hokkaido.jp +taiki.hokkaido.jp +takasu.hokkaido.jp +takikawa.hokkaido.jp +takinoue.hokkaido.jp +teshikaga.hokkaido.jp +tobetsu.hokkaido.jp +tohma.hokkaido.jp +tomakomai.hokkaido.jp +tomari.hokkaido.jp +toya.hokkaido.jp +toyako.hokkaido.jp +toyotomi.hokkaido.jp +toyoura.hokkaido.jp +tsubetsu.hokkaido.jp +tsukigata.hokkaido.jp +urakawa.hokkaido.jp +urausu.hokkaido.jp +uryu.hokkaido.jp +utashinai.hokkaido.jp +wakkanai.hokkaido.jp +wassamu.hokkaido.jp +yakumo.hokkaido.jp +yoichi.hokkaido.jp +aioi.hyogo.jp +akashi.hyogo.jp +ako.hyogo.jp +amagasaki.hyogo.jp +aogaki.hyogo.jp +asago.hyogo.jp +ashiya.hyogo.jp +awaji.hyogo.jp +fukusaki.hyogo.jp +goshiki.hyogo.jp +harima.hyogo.jp +himeji.hyogo.jp +ichikawa.hyogo.jp +inagawa.hyogo.jp +itami.hyogo.jp +kakogawa.hyogo.jp +kamigori.hyogo.jp +kamikawa.hyogo.jp +kasai.hyogo.jp +kasuga.hyogo.jp +kawanishi.hyogo.jp +miki.hyogo.jp +minamiawaji.hyogo.jp +nishinomiya.hyogo.jp +nishiwaki.hyogo.jp +ono.hyogo.jp +sanda.hyogo.jp +sannan.hyogo.jp +sasayama.hyogo.jp +sayo.hyogo.jp +shingu.hyogo.jp +shinonsen.hyogo.jp +shiso.hyogo.jp +sumoto.hyogo.jp +taishi.hyogo.jp +taka.hyogo.jp +takarazuka.hyogo.jp +takasago.hyogo.jp +takino.hyogo.jp +tamba.hyogo.jp +tatsuno.hyogo.jp +toyooka.hyogo.jp +yabu.hyogo.jp +yashiro.hyogo.jp +yoka.hyogo.jp +yokawa.hyogo.jp +ami.ibaraki.jp +asahi.ibaraki.jp +bando.ibaraki.jp +chikusei.ibaraki.jp +daigo.ibaraki.jp +fujishiro.ibaraki.jp +hitachi.ibaraki.jp +hitachinaka.ibaraki.jp +hitachiomiya.ibaraki.jp +hitachiota.ibaraki.jp +ibaraki.ibaraki.jp +ina.ibaraki.jp +inashiki.ibaraki.jp +itako.ibaraki.jp +iwama.ibaraki.jp +joso.ibaraki.jp +kamisu.ibaraki.jp +kasama.ibaraki.jp +kashima.ibaraki.jp +kasumigaura.ibaraki.jp +koga.ibaraki.jp +miho.ibaraki.jp +mito.ibaraki.jp +moriya.ibaraki.jp +naka.ibaraki.jp +namegata.ibaraki.jp +oarai.ibaraki.jp +ogawa.ibaraki.jp +omitama.ibaraki.jp +ryugasaki.ibaraki.jp +sakai.ibaraki.jp +sakuragawa.ibaraki.jp +shimodate.ibaraki.jp +shimotsuma.ibaraki.jp +shirosato.ibaraki.jp +sowa.ibaraki.jp +suifu.ibaraki.jp +takahagi.ibaraki.jp +tamatsukuri.ibaraki.jp +tokai.ibaraki.jp +tomobe.ibaraki.jp +tone.ibaraki.jp +toride.ibaraki.jp +tsuchiura.ibaraki.jp +tsukuba.ibaraki.jp +uchihara.ibaraki.jp +ushiku.ibaraki.jp +yachiyo.ibaraki.jp +yamagata.ibaraki.jp +yawara.ibaraki.jp +yuki.ibaraki.jp +anamizu.ishikawa.jp +hakui.ishikawa.jp +hakusan.ishikawa.jp +kaga.ishikawa.jp +kahoku.ishikawa.jp +kanazawa.ishikawa.jp +kawakita.ishikawa.jp +komatsu.ishikawa.jp +nakanoto.ishikawa.jp +nanao.ishikawa.jp +nomi.ishikawa.jp +nonoichi.ishikawa.jp +noto.ishikawa.jp +shika.ishikawa.jp +suzu.ishikawa.jp +tsubata.ishikawa.jp +tsurugi.ishikawa.jp +uchinada.ishikawa.jp +wajima.ishikawa.jp +fudai.iwate.jp +fujisawa.iwate.jp +hanamaki.iwate.jp +hiraizumi.iwate.jp +hirono.iwate.jp +ichinohe.iwate.jp +ichinoseki.iwate.jp +iwaizumi.iwate.jp +iwate.iwate.jp +joboji.iwate.jp +kamaishi.iwate.jp +kanegasaki.iwate.jp +karumai.iwate.jp +kawai.iwate.jp +kitakami.iwate.jp +kuji.iwate.jp +kunohe.iwate.jp +kuzumaki.iwate.jp +miyako.iwate.jp +mizusawa.iwate.jp +morioka.iwate.jp +ninohe.iwate.jp +noda.iwate.jp +ofunato.iwate.jp +oshu.iwate.jp +otsuchi.iwate.jp +rikuzentakata.iwate.jp +shiwa.iwate.jp +shizukuishi.iwate.jp +sumita.iwate.jp +tanohata.iwate.jp +tono.iwate.jp +yahaba.iwate.jp +yamada.iwate.jp +ayagawa.kagawa.jp +higashikagawa.kagawa.jp +kanonji.kagawa.jp +kotohira.kagawa.jp +manno.kagawa.jp +marugame.kagawa.jp +mitoyo.kagawa.jp +naoshima.kagawa.jp +sanuki.kagawa.jp +tadotsu.kagawa.jp +takamatsu.kagawa.jp +tonosho.kagawa.jp +uchinomi.kagawa.jp +utazu.kagawa.jp +zentsuji.kagawa.jp +akune.kagoshima.jp +amami.kagoshima.jp +hioki.kagoshima.jp +isa.kagoshima.jp +isen.kagoshima.jp +izumi.kagoshima.jp +kagoshima.kagoshima.jp +kanoya.kagoshima.jp +kawanabe.kagoshima.jp +kinko.kagoshima.jp +kouyama.kagoshima.jp +makurazaki.kagoshima.jp +matsumoto.kagoshima.jp +minamitane.kagoshima.jp +nakatane.kagoshima.jp +nishinoomote.kagoshima.jp +satsumasendai.kagoshima.jp +soo.kagoshima.jp +tarumizu.kagoshima.jp +yusui.kagoshima.jp +aikawa.kanagawa.jp +atsugi.kanagawa.jp +ayase.kanagawa.jp +chigasaki.kanagawa.jp +ebina.kanagawa.jp +fujisawa.kanagawa.jp +hadano.kanagawa.jp +hakone.kanagawa.jp +hiratsuka.kanagawa.jp +isehara.kanagawa.jp +kaisei.kanagawa.jp +kamakura.kanagawa.jp +kiyokawa.kanagawa.jp +matsuda.kanagawa.jp +minamiashigara.kanagawa.jp +miura.kanagawa.jp +nakai.kanagawa.jp +ninomiya.kanagawa.jp +odawara.kanagawa.jp +oi.kanagawa.jp +oiso.kanagawa.jp +sagamihara.kanagawa.jp +samukawa.kanagawa.jp +tsukui.kanagawa.jp +yamakita.kanagawa.jp +yamato.kanagawa.jp +yokosuka.kanagawa.jp +yugawara.kanagawa.jp +zama.kanagawa.jp +zushi.kanagawa.jp +aki.kochi.jp +geisei.kochi.jp +hidaka.kochi.jp +higashitsuno.kochi.jp +ino.kochi.jp +kagami.kochi.jp +kami.kochi.jp +kitagawa.kochi.jp +kochi.kochi.jp +mihara.kochi.jp +motoyama.kochi.jp +muroto.kochi.jp +nahari.kochi.jp +nakamura.kochi.jp +nankoku.kochi.jp +nishitosa.kochi.jp +niyodogawa.kochi.jp +ochi.kochi.jp +okawa.kochi.jp +otoyo.kochi.jp +otsuki.kochi.jp +sakawa.kochi.jp +sukumo.kochi.jp +susaki.kochi.jp +tosa.kochi.jp +tosashimizu.kochi.jp +toyo.kochi.jp +tsuno.kochi.jp +umaji.kochi.jp +yasuda.kochi.jp +yusuhara.kochi.jp +amakusa.kumamoto.jp +arao.kumamoto.jp +aso.kumamoto.jp +choyo.kumamoto.jp +gyokuto.kumamoto.jp +hitoyoshi.kumamoto.jp +kamiamakusa.kumamoto.jp +kashima.kumamoto.jp +kikuchi.kumamoto.jp +kosa.kumamoto.jp +kumamoto.kumamoto.jp +mashiki.kumamoto.jp +mifune.kumamoto.jp +minamata.kumamoto.jp +minamioguni.kumamoto.jp +nagasu.kumamoto.jp +nishihara.kumamoto.jp +oguni.kumamoto.jp +ozu.kumamoto.jp +sumoto.kumamoto.jp +takamori.kumamoto.jp +uki.kumamoto.jp +uto.kumamoto.jp +yamaga.kumamoto.jp +yamato.kumamoto.jp +yatsushiro.kumamoto.jp +ayabe.kyoto.jp +fukuchiyama.kyoto.jp +higashiyama.kyoto.jp +ide.kyoto.jp +ine.kyoto.jp +joyo.kyoto.jp +kameoka.kyoto.jp +kamo.kyoto.jp +kita.kyoto.jp +kizu.kyoto.jp +kumiyama.kyoto.jp +kyotamba.kyoto.jp +kyotanabe.kyoto.jp +kyotango.kyoto.jp +maizuru.kyoto.jp +minami.kyoto.jp +minamiyamashiro.kyoto.jp +miyazu.kyoto.jp +muko.kyoto.jp +nagaokakyo.kyoto.jp +nakagyo.kyoto.jp +nantan.kyoto.jp +oyamazaki.kyoto.jp +sakyo.kyoto.jp +seika.kyoto.jp +tanabe.kyoto.jp +uji.kyoto.jp +ujitawara.kyoto.jp +wazuka.kyoto.jp +yamashina.kyoto.jp +yawata.kyoto.jp +asahi.mie.jp +inabe.mie.jp +ise.mie.jp +kameyama.mie.jp +kawagoe.mie.jp +kiho.mie.jp +kisosaki.mie.jp +kiwa.mie.jp +komono.mie.jp +kumano.mie.jp +kuwana.mie.jp +matsusaka.mie.jp +meiwa.mie.jp +mihama.mie.jp +minamiise.mie.jp +misugi.mie.jp +miyama.mie.jp +nabari.mie.jp +shima.mie.jp +suzuka.mie.jp +tado.mie.jp +taiki.mie.jp +taki.mie.jp +tamaki.mie.jp +toba.mie.jp +tsu.mie.jp +udono.mie.jp +ureshino.mie.jp +watarai.mie.jp +yokkaichi.mie.jp +furukawa.miyagi.jp +higashimatsushima.miyagi.jp +ishinomaki.miyagi.jp +iwanuma.miyagi.jp +kakuda.miyagi.jp +kami.miyagi.jp +kawasaki.miyagi.jp +kesennuma.miyagi.jp +marumori.miyagi.jp +matsushima.miyagi.jp +minamisanriku.miyagi.jp +misato.miyagi.jp +murata.miyagi.jp +natori.miyagi.jp +ogawara.miyagi.jp +ohira.miyagi.jp +onagawa.miyagi.jp +osaki.miyagi.jp +rifu.miyagi.jp +semine.miyagi.jp +shibata.miyagi.jp +shichikashuku.miyagi.jp +shikama.miyagi.jp +shiogama.miyagi.jp +shiroishi.miyagi.jp +tagajo.miyagi.jp +taiwa.miyagi.jp +tome.miyagi.jp +tomiya.miyagi.jp +wakuya.miyagi.jp +watari.miyagi.jp +yamamoto.miyagi.jp +zao.miyagi.jp +aya.miyazaki.jp +ebino.miyazaki.jp +gokase.miyazaki.jp +hyuga.miyazaki.jp +kadogawa.miyazaki.jp +kawaminami.miyazaki.jp +kijo.miyazaki.jp +kitagawa.miyazaki.jp +kitakata.miyazaki.jp +kitaura.miyazaki.jp +kobayashi.miyazaki.jp +kunitomi.miyazaki.jp +kushima.miyazaki.jp +mimata.miyazaki.jp +miyakonojo.miyazaki.jp +miyazaki.miyazaki.jp +morotsuka.miyazaki.jp +nichinan.miyazaki.jp +nishimera.miyazaki.jp +nobeoka.miyazaki.jp +saito.miyazaki.jp +shiiba.miyazaki.jp +shintomi.miyazaki.jp +takaharu.miyazaki.jp +takanabe.miyazaki.jp +takazaki.miyazaki.jp +tsuno.miyazaki.jp +achi.nagano.jp +agematsu.nagano.jp +anan.nagano.jp +aoki.nagano.jp +asahi.nagano.jp +azumino.nagano.jp +chikuhoku.nagano.jp +chikuma.nagano.jp +chino.nagano.jp +fujimi.nagano.jp +hakuba.nagano.jp +hara.nagano.jp +hiraya.nagano.jp +iida.nagano.jp +iijima.nagano.jp +iiyama.nagano.jp +iizuna.nagano.jp +ikeda.nagano.jp +ikusaka.nagano.jp +ina.nagano.jp +karuizawa.nagano.jp +kawakami.nagano.jp +kiso.nagano.jp +kisofukushima.nagano.jp +kitaaiki.nagano.jp +komagane.nagano.jp +komoro.nagano.jp +matsukawa.nagano.jp +matsumoto.nagano.jp +miasa.nagano.jp +minamiaiki.nagano.jp +minamimaki.nagano.jp +minamiminowa.nagano.jp +minowa.nagano.jp +miyada.nagano.jp +miyota.nagano.jp +mochizuki.nagano.jp +nagano.nagano.jp +nagawa.nagano.jp +nagiso.nagano.jp +nakagawa.nagano.jp +nakano.nagano.jp +nozawaonsen.nagano.jp +obuse.nagano.jp +ogawa.nagano.jp +okaya.nagano.jp +omachi.nagano.jp +omi.nagano.jp +ookuwa.nagano.jp +ooshika.nagano.jp +otaki.nagano.jp +otari.nagano.jp +sakae.nagano.jp +sakaki.nagano.jp +saku.nagano.jp +sakuho.nagano.jp +shimosuwa.nagano.jp +shinanomachi.nagano.jp +shiojiri.nagano.jp +suwa.nagano.jp +suzaka.nagano.jp +takagi.nagano.jp +takamori.nagano.jp +takayama.nagano.jp +tateshina.nagano.jp +tatsuno.nagano.jp +togakushi.nagano.jp +togura.nagano.jp +tomi.nagano.jp +ueda.nagano.jp +wada.nagano.jp +yamagata.nagano.jp +yamanouchi.nagano.jp +yasaka.nagano.jp +yasuoka.nagano.jp +chijiwa.nagasaki.jp +futsu.nagasaki.jp +goto.nagasaki.jp +hasami.nagasaki.jp +hirado.nagasaki.jp +iki.nagasaki.jp +isahaya.nagasaki.jp +kawatana.nagasaki.jp +kuchinotsu.nagasaki.jp +matsuura.nagasaki.jp +nagasaki.nagasaki.jp +obama.nagasaki.jp +omura.nagasaki.jp +oseto.nagasaki.jp +saikai.nagasaki.jp +sasebo.nagasaki.jp +seihi.nagasaki.jp +shimabara.nagasaki.jp +shinkamigoto.nagasaki.jp +togitsu.nagasaki.jp +tsushima.nagasaki.jp +unzen.nagasaki.jp +ando.nara.jp +gose.nara.jp +heguri.nara.jp +higashiyoshino.nara.jp +ikaruga.nara.jp +ikoma.nara.jp +kamikitayama.nara.jp +kanmaki.nara.jp +kashiba.nara.jp +kashihara.nara.jp +katsuragi.nara.jp +kawai.nara.jp +kawakami.nara.jp +kawanishi.nara.jp +koryo.nara.jp +kurotaki.nara.jp +mitsue.nara.jp +miyake.nara.jp +nara.nara.jp +nosegawa.nara.jp +oji.nara.jp +ouda.nara.jp +oyodo.nara.jp +sakurai.nara.jp +sango.nara.jp +shimoichi.nara.jp +shimokitayama.nara.jp +shinjo.nara.jp +soni.nara.jp +takatori.nara.jp +tawaramoto.nara.jp +tenkawa.nara.jp +tenri.nara.jp +uda.nara.jp +yamatokoriyama.nara.jp +yamatotakada.nara.jp +yamazoe.nara.jp +yoshino.nara.jp +aga.niigata.jp +agano.niigata.jp +gosen.niigata.jp +itoigawa.niigata.jp +izumozaki.niigata.jp +joetsu.niigata.jp +kamo.niigata.jp +kariwa.niigata.jp +kashiwazaki.niigata.jp +minamiuonuma.niigata.jp +mitsuke.niigata.jp +muika.niigata.jp +murakami.niigata.jp +myoko.niigata.jp +nagaoka.niigata.jp +niigata.niigata.jp +ojiya.niigata.jp +omi.niigata.jp +sado.niigata.jp +sanjo.niigata.jp +seiro.niigata.jp +seirou.niigata.jp +sekikawa.niigata.jp +shibata.niigata.jp +tagami.niigata.jp +tainai.niigata.jp +tochio.niigata.jp +tokamachi.niigata.jp +tsubame.niigata.jp +tsunan.niigata.jp +uonuma.niigata.jp +yahiko.niigata.jp +yoita.niigata.jp +yuzawa.niigata.jp +beppu.oita.jp +bungoono.oita.jp +bungotakada.oita.jp +hasama.oita.jp +hiji.oita.jp +himeshima.oita.jp +hita.oita.jp +kamitsue.oita.jp +kokonoe.oita.jp +kuju.oita.jp +kunisaki.oita.jp +kusu.oita.jp +oita.oita.jp +saiki.oita.jp +taketa.oita.jp +tsukumi.oita.jp +usa.oita.jp +usuki.oita.jp +yufu.oita.jp +akaiwa.okayama.jp +asakuchi.okayama.jp +bizen.okayama.jp +hayashima.okayama.jp +ibara.okayama.jp +kagamino.okayama.jp +kasaoka.okayama.jp +kibichuo.okayama.jp +kumenan.okayama.jp +kurashiki.okayama.jp +maniwa.okayama.jp +misaki.okayama.jp +nagi.okayama.jp +niimi.okayama.jp +nishiawakura.okayama.jp +okayama.okayama.jp +satosho.okayama.jp +setouchi.okayama.jp +shinjo.okayama.jp +shoo.okayama.jp +soja.okayama.jp +takahashi.okayama.jp +tamano.okayama.jp +tsuyama.okayama.jp +wake.okayama.jp +yakage.okayama.jp +aguni.okinawa.jp +ginowan.okinawa.jp +ginoza.okinawa.jp +gushikami.okinawa.jp +haebaru.okinawa.jp +higashi.okinawa.jp +hirara.okinawa.jp +iheya.okinawa.jp +ishigaki.okinawa.jp +ishikawa.okinawa.jp +itoman.okinawa.jp +izena.okinawa.jp +kadena.okinawa.jp +kin.okinawa.jp +kitadaito.okinawa.jp +kitanakagusuku.okinawa.jp +kumejima.okinawa.jp +kunigami.okinawa.jp +minamidaito.okinawa.jp +motobu.okinawa.jp +nago.okinawa.jp +naha.okinawa.jp +nakagusuku.okinawa.jp +nakijin.okinawa.jp +nanjo.okinawa.jp +nishihara.okinawa.jp +ogimi.okinawa.jp +okinawa.okinawa.jp +onna.okinawa.jp +shimoji.okinawa.jp +taketomi.okinawa.jp +tarama.okinawa.jp +tokashiki.okinawa.jp +tomigusuku.okinawa.jp +tonaki.okinawa.jp +urasoe.okinawa.jp +uruma.okinawa.jp +yaese.okinawa.jp +yomitan.okinawa.jp +yonabaru.okinawa.jp +yonaguni.okinawa.jp +zamami.okinawa.jp +abeno.osaka.jp +chihayaakasaka.osaka.jp +chuo.osaka.jp +daito.osaka.jp +fujiidera.osaka.jp +habikino.osaka.jp +hannan.osaka.jp +higashiosaka.osaka.jp +higashisumiyoshi.osaka.jp +higashiyodogawa.osaka.jp +hirakata.osaka.jp +ibaraki.osaka.jp +ikeda.osaka.jp +izumi.osaka.jp +izumiotsu.osaka.jp +izumisano.osaka.jp +kadoma.osaka.jp +kaizuka.osaka.jp +kanan.osaka.jp +kashiwara.osaka.jp +katano.osaka.jp +kawachinagano.osaka.jp +kishiwada.osaka.jp +kita.osaka.jp +kumatori.osaka.jp +matsubara.osaka.jp +minato.osaka.jp +minoh.osaka.jp +misaki.osaka.jp +moriguchi.osaka.jp +neyagawa.osaka.jp +nishi.osaka.jp +nose.osaka.jp +osakasayama.osaka.jp +sakai.osaka.jp +sayama.osaka.jp +sennan.osaka.jp +settsu.osaka.jp +shijonawate.osaka.jp +shimamoto.osaka.jp +suita.osaka.jp +tadaoka.osaka.jp +taishi.osaka.jp +tajiri.osaka.jp +takaishi.osaka.jp +takatsuki.osaka.jp +tondabayashi.osaka.jp +toyonaka.osaka.jp +toyono.osaka.jp +yao.osaka.jp +ariake.saga.jp +arita.saga.jp +fukudomi.saga.jp +genkai.saga.jp +hamatama.saga.jp +hizen.saga.jp +imari.saga.jp +kamimine.saga.jp +kanzaki.saga.jp +karatsu.saga.jp +kashima.saga.jp +kitagata.saga.jp +kitahata.saga.jp +kiyama.saga.jp +kouhoku.saga.jp +kyuragi.saga.jp +nishiarita.saga.jp +ogi.saga.jp +omachi.saga.jp +ouchi.saga.jp +saga.saga.jp +shiroishi.saga.jp +taku.saga.jp +tara.saga.jp +tosu.saga.jp +yoshinogari.saga.jp +arakawa.saitama.jp +asaka.saitama.jp +chichibu.saitama.jp +fujimi.saitama.jp +fujimino.saitama.jp +fukaya.saitama.jp +hanno.saitama.jp +hanyu.saitama.jp +hasuda.saitama.jp +hatogaya.saitama.jp +hatoyama.saitama.jp +hidaka.saitama.jp +higashichichibu.saitama.jp +higashimatsuyama.saitama.jp +honjo.saitama.jp +ina.saitama.jp +iruma.saitama.jp +iwatsuki.saitama.jp +kamiizumi.saitama.jp +kamikawa.saitama.jp +kamisato.saitama.jp +kasukabe.saitama.jp +kawagoe.saitama.jp +kawaguchi.saitama.jp +kawajima.saitama.jp +kazo.saitama.jp +kitamoto.saitama.jp +koshigaya.saitama.jp +kounosu.saitama.jp +kuki.saitama.jp +kumagaya.saitama.jp +matsubushi.saitama.jp +minano.saitama.jp +misato.saitama.jp +miyashiro.saitama.jp +miyoshi.saitama.jp +moroyama.saitama.jp +nagatoro.saitama.jp +namegawa.saitama.jp +niiza.saitama.jp +ogano.saitama.jp +ogawa.saitama.jp +ogose.saitama.jp +okegawa.saitama.jp +omiya.saitama.jp +otaki.saitama.jp +ranzan.saitama.jp +ryokami.saitama.jp +saitama.saitama.jp +sakado.saitama.jp +satte.saitama.jp +sayama.saitama.jp +shiki.saitama.jp +shiraoka.saitama.jp +soka.saitama.jp +sugito.saitama.jp +toda.saitama.jp +tokigawa.saitama.jp +tokorozawa.saitama.jp +tsurugashima.saitama.jp +urawa.saitama.jp +warabi.saitama.jp +yashio.saitama.jp +yokoze.saitama.jp +yono.saitama.jp +yorii.saitama.jp +yoshida.saitama.jp +yoshikawa.saitama.jp +yoshimi.saitama.jp +aisho.shiga.jp +gamo.shiga.jp +higashiomi.shiga.jp +hikone.shiga.jp +koka.shiga.jp +konan.shiga.jp +kosei.shiga.jp +koto.shiga.jp +kusatsu.shiga.jp +maibara.shiga.jp +moriyama.shiga.jp +nagahama.shiga.jp +nishiazai.shiga.jp +notogawa.shiga.jp +omihachiman.shiga.jp +otsu.shiga.jp +ritto.shiga.jp +ryuoh.shiga.jp +takashima.shiga.jp +takatsuki.shiga.jp +torahime.shiga.jp +toyosato.shiga.jp +yasu.shiga.jp +akagi.shimane.jp +ama.shimane.jp +gotsu.shimane.jp +hamada.shimane.jp +higashiizumo.shimane.jp +hikawa.shimane.jp +hikimi.shimane.jp +izumo.shimane.jp +kakinoki.shimane.jp +masuda.shimane.jp +matsue.shimane.jp +misato.shimane.jp +nishinoshima.shimane.jp +ohda.shimane.jp +okinoshima.shimane.jp +okuizumo.shimane.jp +shimane.shimane.jp +tamayu.shimane.jp +tsuwano.shimane.jp +unnan.shimane.jp +yakumo.shimane.jp +yasugi.shimane.jp +yatsuka.shimane.jp +arai.shizuoka.jp +atami.shizuoka.jp +fuji.shizuoka.jp +fujieda.shizuoka.jp +fujikawa.shizuoka.jp +fujinomiya.shizuoka.jp +fukuroi.shizuoka.jp +gotemba.shizuoka.jp +haibara.shizuoka.jp +hamamatsu.shizuoka.jp +higashiizu.shizuoka.jp +ito.shizuoka.jp +iwata.shizuoka.jp +izu.shizuoka.jp +izunokuni.shizuoka.jp +kakegawa.shizuoka.jp +kannami.shizuoka.jp +kawanehon.shizuoka.jp +kawazu.shizuoka.jp +kikugawa.shizuoka.jp +kosai.shizuoka.jp +makinohara.shizuoka.jp +matsuzaki.shizuoka.jp +minamiizu.shizuoka.jp +mishima.shizuoka.jp +morimachi.shizuoka.jp +nishiizu.shizuoka.jp +numazu.shizuoka.jp +omaezaki.shizuoka.jp +shimada.shizuoka.jp +shimizu.shizuoka.jp +shimoda.shizuoka.jp +shizuoka.shizuoka.jp +susono.shizuoka.jp +yaizu.shizuoka.jp +yoshida.shizuoka.jp +ashikaga.tochigi.jp +bato.tochigi.jp +haga.tochigi.jp +ichikai.tochigi.jp +iwafune.tochigi.jp +kaminokawa.tochigi.jp +kanuma.tochigi.jp +karasuyama.tochigi.jp +kuroiso.tochigi.jp +mashiko.tochigi.jp +mibu.tochigi.jp +moka.tochigi.jp +motegi.tochigi.jp +nasu.tochigi.jp +nasushiobara.tochigi.jp +nikko.tochigi.jp +nishikata.tochigi.jp +nogi.tochigi.jp +ohira.tochigi.jp +ohtawara.tochigi.jp +oyama.tochigi.jp +sakura.tochigi.jp +sano.tochigi.jp +shimotsuke.tochigi.jp +shioya.tochigi.jp +takanezawa.tochigi.jp +tochigi.tochigi.jp +tsuga.tochigi.jp +ujiie.tochigi.jp +utsunomiya.tochigi.jp +yaita.tochigi.jp +aizumi.tokushima.jp +anan.tokushima.jp +ichiba.tokushima.jp +itano.tokushima.jp +kainan.tokushima.jp +komatsushima.tokushima.jp +matsushige.tokushima.jp +mima.tokushima.jp +minami.tokushima.jp +miyoshi.tokushima.jp +mugi.tokushima.jp +nakagawa.tokushima.jp +naruto.tokushima.jp +sanagochi.tokushima.jp +shishikui.tokushima.jp +tokushima.tokushima.jp +wajiki.tokushima.jp +adachi.tokyo.jp +akiruno.tokyo.jp +akishima.tokyo.jp +aogashima.tokyo.jp +arakawa.tokyo.jp +bunkyo.tokyo.jp +chiyoda.tokyo.jp +chofu.tokyo.jp +chuo.tokyo.jp +edogawa.tokyo.jp +fuchu.tokyo.jp +fussa.tokyo.jp +hachijo.tokyo.jp +hachioji.tokyo.jp +hamura.tokyo.jp +higashikurume.tokyo.jp +higashimurayama.tokyo.jp +higashiyamato.tokyo.jp +hino.tokyo.jp +hinode.tokyo.jp +hinohara.tokyo.jp +inagi.tokyo.jp +itabashi.tokyo.jp +katsushika.tokyo.jp +kita.tokyo.jp +kiyose.tokyo.jp +kodaira.tokyo.jp +koganei.tokyo.jp +kokubunji.tokyo.jp +komae.tokyo.jp +koto.tokyo.jp +kouzushima.tokyo.jp +kunitachi.tokyo.jp +machida.tokyo.jp +meguro.tokyo.jp +minato.tokyo.jp +mitaka.tokyo.jp +mizuho.tokyo.jp +musashimurayama.tokyo.jp +musashino.tokyo.jp +nakano.tokyo.jp +nerima.tokyo.jp +ogasawara.tokyo.jp +okutama.tokyo.jp +ome.tokyo.jp +oshima.tokyo.jp +ota.tokyo.jp +setagaya.tokyo.jp +shibuya.tokyo.jp +shinagawa.tokyo.jp +shinjuku.tokyo.jp +suginami.tokyo.jp +sumida.tokyo.jp +tachikawa.tokyo.jp +taito.tokyo.jp +tama.tokyo.jp +toshima.tokyo.jp +chizu.tottori.jp +hino.tottori.jp +kawahara.tottori.jp +koge.tottori.jp +kotoura.tottori.jp +misasa.tottori.jp +nanbu.tottori.jp +nichinan.tottori.jp +sakaiminato.tottori.jp +tottori.tottori.jp +wakasa.tottori.jp +yazu.tottori.jp +yonago.tottori.jp +asahi.toyama.jp +fuchu.toyama.jp +fukumitsu.toyama.jp +funahashi.toyama.jp +himi.toyama.jp +imizu.toyama.jp +inami.toyama.jp +johana.toyama.jp +kamiichi.toyama.jp +kurobe.toyama.jp +nakaniikawa.toyama.jp +namerikawa.toyama.jp +nanto.toyama.jp +nyuzen.toyama.jp +oyabe.toyama.jp +taira.toyama.jp +takaoka.toyama.jp +tateyama.toyama.jp +toga.toyama.jp +tonami.toyama.jp +toyama.toyama.jp +unazuki.toyama.jp +uozu.toyama.jp +yamada.toyama.jp +arida.wakayama.jp +aridagawa.wakayama.jp +gobo.wakayama.jp +hashimoto.wakayama.jp +hidaka.wakayama.jp +hirogawa.wakayama.jp +inami.wakayama.jp +iwade.wakayama.jp +kainan.wakayama.jp +kamitonda.wakayama.jp +katsuragi.wakayama.jp +kimino.wakayama.jp +kinokawa.wakayama.jp +kitayama.wakayama.jp +koya.wakayama.jp +koza.wakayama.jp +kozagawa.wakayama.jp +kudoyama.wakayama.jp +kushimoto.wakayama.jp +mihama.wakayama.jp +misato.wakayama.jp +nachikatsuura.wakayama.jp +shingu.wakayama.jp +shirahama.wakayama.jp +taiji.wakayama.jp +tanabe.wakayama.jp +wakayama.wakayama.jp +yuasa.wakayama.jp +yura.wakayama.jp +asahi.yamagata.jp +funagata.yamagata.jp +higashine.yamagata.jp +iide.yamagata.jp +kahoku.yamagata.jp +kaminoyama.yamagata.jp +kaneyama.yamagata.jp +kawanishi.yamagata.jp +mamurogawa.yamagata.jp +mikawa.yamagata.jp +murayama.yamagata.jp +nagai.yamagata.jp +nakayama.yamagata.jp +nanyo.yamagata.jp +nishikawa.yamagata.jp +obanazawa.yamagata.jp +oe.yamagata.jp +oguni.yamagata.jp +ohkura.yamagata.jp +oishida.yamagata.jp +sagae.yamagata.jp +sakata.yamagata.jp +sakegawa.yamagata.jp +shinjo.yamagata.jp +shirataka.yamagata.jp +shonai.yamagata.jp +takahata.yamagata.jp +tendo.yamagata.jp +tozawa.yamagata.jp +tsuruoka.yamagata.jp +yamagata.yamagata.jp +yamanobe.yamagata.jp +yonezawa.yamagata.jp +yuza.yamagata.jp +abu.yamaguchi.jp +hagi.yamaguchi.jp +hikari.yamaguchi.jp +hofu.yamaguchi.jp +iwakuni.yamaguchi.jp +kudamatsu.yamaguchi.jp +mitou.yamaguchi.jp +nagato.yamaguchi.jp +oshima.yamaguchi.jp +shimonoseki.yamaguchi.jp +shunan.yamaguchi.jp +tabuse.yamaguchi.jp +tokuyama.yamaguchi.jp +toyota.yamaguchi.jp +ube.yamaguchi.jp +yuu.yamaguchi.jp +chuo.yamanashi.jp +doshi.yamanashi.jp +fuefuki.yamanashi.jp +fujikawa.yamanashi.jp +fujikawaguchiko.yamanashi.jp +fujiyoshida.yamanashi.jp +hayakawa.yamanashi.jp +hokuto.yamanashi.jp +ichikawamisato.yamanashi.jp +kai.yamanashi.jp +kofu.yamanashi.jp +koshu.yamanashi.jp +kosuge.yamanashi.jp +minami-alps.yamanashi.jp +minobu.yamanashi.jp +nakamichi.yamanashi.jp +nanbu.yamanashi.jp +narusawa.yamanashi.jp +nirasaki.yamanashi.jp +nishikatsura.yamanashi.jp +oshino.yamanashi.jp +otsuki.yamanashi.jp +showa.yamanashi.jp +tabayama.yamanashi.jp +tsuru.yamanashi.jp +uenohara.yamanashi.jp +yamanakako.yamanashi.jp +yamanashi.yamanashi.jp + +// ke : http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145 +*.ke + +// kg : http://www.domain.kg/dmn_n.html +kg +org.kg +net.kg +com.kg +edu.kg +gov.kg +mil.kg + +// kh : http://www.mptc.gov.kh/dns_registration.htm +*.kh + +// ki : http://www.ki/dns/index.html +ki +edu.ki +biz.ki +net.ki +org.ki +gov.ki +info.ki +com.ki + +// km : http://en.wikipedia.org/wiki/.km +// http://www.domaine.km/documents/charte.doc +km +org.km +nom.km +gov.km +prd.km +tm.km +edu.km +mil.km +ass.km +com.km +// These are only mentioned as proposed suggestions at domaine.km, but +// http://en.wikipedia.org/wiki/.km says they're available for registration: +coop.km +asso.km +presse.km +medecin.km +notaires.km +pharmaciens.km +veterinaire.km +gouv.km + +// kn : http://en.wikipedia.org/wiki/.kn +// http://www.dot.kn/domainRules.html +kn +net.kn +org.kn +edu.kn +gov.kn + +// kp : http://www.kcce.kp/en_index.php +kp +com.kp +edu.kp +gov.kp +org.kp +rep.kp +tra.kp + +// kr : http://en.wikipedia.org/wiki/.kr +// see also: http://domain.nida.or.kr/eng/registration.jsp +kr +ac.kr +co.kr +es.kr +go.kr +hs.kr +kg.kr +mil.kr +ms.kr +ne.kr +or.kr +pe.kr +re.kr +sc.kr +// kr geographical names +busan.kr +chungbuk.kr +chungnam.kr +daegu.kr +daejeon.kr +gangwon.kr +gwangju.kr +gyeongbuk.kr +gyeonggi.kr +gyeongnam.kr +incheon.kr +jeju.kr +jeonbuk.kr +jeonnam.kr +seoul.kr +ulsan.kr + +// kw : http://en.wikipedia.org/wiki/.kw +*.kw + +// ky : http://www.icta.ky/da_ky_reg_dom.php +// Confirmed by registry 2008-06-17 +ky +edu.ky +gov.ky +com.ky +org.ky +net.ky + +// kz : http://en.wikipedia.org/wiki/.kz +// see also: http://www.nic.kz/rules/index.jsp +kz +org.kz +edu.kz +net.kz +gov.kz +mil.kz +com.kz + +// la : http://en.wikipedia.org/wiki/.la +// Submitted by registry 2008-06-10 +la +int.la +net.la +info.la +edu.la +gov.la +per.la +com.la +org.la + +// lb : http://en.wikipedia.org/wiki/.lb +// Submitted by registry 2008-06-17 +lb +com.lb +edu.lb +gov.lb +net.lb +org.lb + +// lc : http://en.wikipedia.org/wiki/.lc +// see also: http://www.nic.lc/rules.htm +lc +com.lc +net.lc +co.lc +org.lc +edu.lc +gov.lc + +// li : http://en.wikipedia.org/wiki/.li +li + +// lk : http://www.nic.lk/seclevpr.html +lk +gov.lk +sch.lk +net.lk +int.lk +com.lk +org.lk +edu.lk +ngo.lk +soc.lk +web.lk +ltd.lk +assn.lk +grp.lk +hotel.lk + +// lr : http://psg.com/dns/lr/lr.txt +// Submitted by registry 2008-06-17 +lr +com.lr +edu.lr +gov.lr +org.lr +net.lr + +// ls : http://en.wikipedia.org/wiki/.ls +ls +co.ls +org.ls + +// lt : http://en.wikipedia.org/wiki/.lt +lt +// gov.lt : http://www.gov.lt/index_en.php +gov.lt + +// lu : http://www.dns.lu/en/ +lu + +// lv : http://www.nic.lv/DNS/En/generic.php +lv +com.lv +edu.lv +gov.lv +org.lv +mil.lv +id.lv +net.lv +asn.lv +conf.lv + +// ly : http://www.nic.ly/regulations.php +ly +com.ly +net.ly +gov.ly +plc.ly +edu.ly +sch.ly +med.ly +org.ly +id.ly + +// ma : http://en.wikipedia.org/wiki/.ma +// http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf +ma +co.ma +net.ma +gov.ma +org.ma +ac.ma +press.ma + +// mc : http://www.nic.mc/ +mc +tm.mc +asso.mc + +// md : http://en.wikipedia.org/wiki/.md +md + +// me : http://en.wikipedia.org/wiki/.me +me +co.me +net.me +org.me +edu.me +ac.me +gov.me +its.me +priv.me + +// mg : http://www.nic.mg/tarif.htm +mg +org.mg +nom.mg +gov.mg +prd.mg +tm.mg +edu.mg +mil.mg +com.mg + +// mh : http://en.wikipedia.org/wiki/.mh +mh + +// mil : http://en.wikipedia.org/wiki/.mil +mil + +// mk : http://en.wikipedia.org/wiki/.mk +// see also: http://dns.marnet.net.mk/postapka.php +mk +com.mk +org.mk +net.mk +edu.mk +gov.mk +inf.mk +name.mk + +// ml : http://www.gobin.info/domainname/ml-template.doc +// see also: http://en.wikipedia.org/wiki/.ml +ml +com.ml +edu.ml +gouv.ml +gov.ml +net.ml +org.ml +presse.ml + +// mm : http://en.wikipedia.org/wiki/.mm +*.mm + +// mn : http://en.wikipedia.org/wiki/.mn +mn +gov.mn +edu.mn +org.mn + +// mo : http://www.monic.net.mo/ +mo +com.mo +net.mo +org.mo +edu.mo +gov.mo + +// mobi : http://en.wikipedia.org/wiki/.mobi +mobi + +// mp : http://www.dot.mp/ +// Confirmed by registry 2008-06-17 +mp + +// mq : http://en.wikipedia.org/wiki/.mq +mq + +// mr : http://en.wikipedia.org/wiki/.mr +mr +gov.mr + +// ms : http://www.nic.ms/pdf/MS_Domain_Name_Rules.pdf +ms +com.ms +edu.ms +gov.ms +net.ms +org.ms + +// mt : https://www.nic.org.mt/go/policy +// Submitted by registry 2013-11-19 +mt +com.mt +edu.mt +net.mt +org.mt + +// mu : http://en.wikipedia.org/wiki/.mu +mu +com.mu +net.mu +org.mu +gov.mu +ac.mu +co.mu +or.mu + +// museum : http://about.museum/naming/ +// http://index.museum/ +museum +academy.museum +agriculture.museum +air.museum +airguard.museum +alabama.museum +alaska.museum +amber.museum +ambulance.museum +american.museum +americana.museum +americanantiques.museum +americanart.museum +amsterdam.museum +and.museum +annefrank.museum +anthro.museum +anthropology.museum +antiques.museum +aquarium.museum +arboretum.museum +archaeological.museum +archaeology.museum +architecture.museum +art.museum +artanddesign.museum +artcenter.museum +artdeco.museum +arteducation.museum +artgallery.museum +arts.museum +artsandcrafts.museum +asmatart.museum +assassination.museum +assisi.museum +association.museum +astronomy.museum +atlanta.museum +austin.museum +australia.museum +automotive.museum +aviation.museum +axis.museum +badajoz.museum +baghdad.museum +bahn.museum +bale.museum +baltimore.museum +barcelona.museum +baseball.museum +basel.museum +baths.museum +bauern.museum +beauxarts.museum +beeldengeluid.museum +bellevue.museum +bergbau.museum +berkeley.museum +berlin.museum +bern.museum +bible.museum +bilbao.museum +bill.museum +birdart.museum +birthplace.museum +bonn.museum +boston.museum +botanical.museum +botanicalgarden.museum +botanicgarden.museum +botany.museum +brandywinevalley.museum +brasil.museum +bristol.museum +british.museum +britishcolumbia.museum +broadcast.museum +brunel.museum +brussel.museum +brussels.museum +bruxelles.museum +building.museum +burghof.museum +bus.museum +bushey.museum +cadaques.museum +california.museum +cambridge.museum +can.museum +canada.museum +capebreton.museum +carrier.museum +cartoonart.museum +casadelamoneda.museum +castle.museum +castres.museum +celtic.museum +center.museum +chattanooga.museum +cheltenham.museum +chesapeakebay.museum +chicago.museum +children.museum +childrens.museum +childrensgarden.museum +chiropractic.museum +chocolate.museum +christiansburg.museum +cincinnati.museum +cinema.museum +circus.museum +civilisation.museum +civilization.museum +civilwar.museum +clinton.museum +clock.museum +coal.museum +coastaldefence.museum +cody.museum +coldwar.museum +collection.museum +colonialwilliamsburg.museum +coloradoplateau.museum +columbia.museum +columbus.museum +communication.museum +communications.museum +community.museum +computer.museum +computerhistory.museum +comunicações.museum +contemporary.museum +contemporaryart.museum +convent.museum +copenhagen.museum +corporation.museum +correios-e-telecomunicações.museum +corvette.museum +costume.museum +countryestate.museum +county.museum +crafts.museum +cranbrook.museum +creation.museum +cultural.museum +culturalcenter.museum +culture.museum +cyber.museum +cymru.museum +dali.museum +dallas.museum +database.museum +ddr.museum +decorativearts.museum +delaware.museum +delmenhorst.museum +denmark.museum +depot.museum +design.museum +detroit.museum +dinosaur.museum +discovery.museum +dolls.museum +donostia.museum +durham.museum +eastafrica.museum +eastcoast.museum +education.museum +educational.museum +egyptian.museum +eisenbahn.museum +elburg.museum +elvendrell.museum +embroidery.museum +encyclopedic.museum +england.museum +entomology.museum +environment.museum +environmentalconservation.museum +epilepsy.museum +essex.museum +estate.museum +ethnology.museum +exeter.museum +exhibition.museum +family.museum +farm.museum +farmequipment.museum +farmers.museum +farmstead.museum +field.museum +figueres.museum +filatelia.museum +film.museum +fineart.museum +finearts.museum +finland.museum +flanders.museum +florida.museum +force.museum +fortmissoula.museum +fortworth.museum +foundation.museum +francaise.museum +frankfurt.museum +franziskaner.museum +freemasonry.museum +freiburg.museum +fribourg.museum +frog.museum +fundacio.museum +furniture.museum +gallery.museum +garden.museum +gateway.museum +geelvinck.museum +gemological.museum +geology.museum +georgia.museum +giessen.museum +glas.museum +glass.museum +gorge.museum +grandrapids.museum +graz.museum +guernsey.museum +halloffame.museum +hamburg.museum +handson.museum +harvestcelebration.museum +hawaii.museum +health.museum +heimatunduhren.museum +hellas.museum +helsinki.museum +hembygdsforbund.museum +heritage.museum +histoire.museum +historical.museum +historicalsociety.museum +historichouses.museum +historisch.museum +historisches.museum +history.museum +historyofscience.museum +horology.museum +house.museum +humanities.museum +illustration.museum +imageandsound.museum +indian.museum +indiana.museum +indianapolis.museum +indianmarket.museum +intelligence.museum +interactive.museum +iraq.museum +iron.museum +isleofman.museum +jamison.museum +jefferson.museum +jerusalem.museum +jewelry.museum +jewish.museum +jewishart.museum +jfk.museum +journalism.museum +judaica.museum +judygarland.museum +juedisches.museum +juif.museum +karate.museum +karikatur.museum +kids.museum +koebenhavn.museum +koeln.museum +kunst.museum +kunstsammlung.museum +kunstunddesign.museum +labor.museum +labour.museum +lajolla.museum +lancashire.museum +landes.museum +lans.museum +läns.museum +larsson.museum +lewismiller.museum +lincoln.museum +linz.museum +living.museum +livinghistory.museum +localhistory.museum +london.museum +losangeles.museum +louvre.museum +loyalist.museum +lucerne.museum +luxembourg.museum +luzern.museum +mad.museum +madrid.museum +mallorca.museum +manchester.museum +mansion.museum +mansions.museum +manx.museum +marburg.museum +maritime.museum +maritimo.museum +maryland.museum +marylhurst.museum +media.museum +medical.museum +medizinhistorisches.museum +meeres.museum +memorial.museum +mesaverde.museum +michigan.museum +midatlantic.museum +military.museum +mill.museum +miners.museum +mining.museum +minnesota.museum +missile.museum +missoula.museum +modern.museum +moma.museum +money.museum +monmouth.museum +monticello.museum +montreal.museum +moscow.museum +motorcycle.museum +muenchen.museum +muenster.museum +mulhouse.museum +muncie.museum +museet.museum +museumcenter.museum +museumvereniging.museum +music.museum +national.museum +nationalfirearms.museum +nationalheritage.museum +nativeamerican.museum +naturalhistory.museum +naturalhistorymuseum.museum +naturalsciences.museum +nature.museum +naturhistorisches.museum +natuurwetenschappen.museum +naumburg.museum +naval.museum +nebraska.museum +neues.museum +newhampshire.museum +newjersey.museum +newmexico.museum +newport.museum +newspaper.museum +newyork.museum +niepce.museum +norfolk.museum +north.museum +nrw.museum +nuernberg.museum +nuremberg.museum +nyc.museum +nyny.museum +oceanographic.museum +oceanographique.museum +omaha.museum +online.museum +ontario.museum +openair.museum +oregon.museum +oregontrail.museum +otago.museum +oxford.museum +pacific.museum +paderborn.museum +palace.museum +paleo.museum +palmsprings.museum +panama.museum +paris.museum +pasadena.museum +pharmacy.museum +philadelphia.museum +philadelphiaarea.museum +philately.museum +phoenix.museum +photography.museum +pilots.museum +pittsburgh.museum +planetarium.museum +plantation.museum +plants.museum +plaza.museum +portal.museum +portland.museum +portlligat.museum +posts-and-telecommunications.museum +preservation.museum +presidio.museum +press.museum +project.museum +public.museum +pubol.museum +quebec.museum +railroad.museum +railway.museum +research.museum +resistance.museum +riodejaneiro.museum +rochester.museum +rockart.museum +roma.museum +russia.museum +saintlouis.museum +salem.museum +salvadordali.museum +salzburg.museum +sandiego.museum +sanfrancisco.museum +santabarbara.museum +santacruz.museum +santafe.museum +saskatchewan.museum +satx.museum +savannahga.museum +schlesisches.museum +schoenbrunn.museum +schokoladen.museum +school.museum +schweiz.museum +science.museum +scienceandhistory.museum +scienceandindustry.museum +sciencecenter.museum +sciencecenters.museum +science-fiction.museum +sciencehistory.museum +sciences.museum +sciencesnaturelles.museum +scotland.museum +seaport.museum +settlement.museum +settlers.museum +shell.museum +sherbrooke.museum +sibenik.museum +silk.museum +ski.museum +skole.museum +society.museum +sologne.museum +soundandvision.museum +southcarolina.museum +southwest.museum +space.museum +spy.museum +square.museum +stadt.museum +stalbans.museum +starnberg.museum +state.museum +stateofdelaware.museum +station.museum +steam.museum +steiermark.museum +stjohn.museum +stockholm.museum +stpetersburg.museum +stuttgart.museum +suisse.museum +surgeonshall.museum +surrey.museum +svizzera.museum +sweden.museum +sydney.museum +tank.museum +tcm.museum +technology.museum +telekommunikation.museum +television.museum +texas.museum +textile.museum +theater.museum +time.museum +timekeeping.museum +topology.museum +torino.museum +touch.museum +town.museum +transport.museum +tree.museum +trolley.museum +trust.museum +trustee.museum +uhren.museum +ulm.museum +undersea.museum +university.museum +usa.museum +usantiques.museum +usarts.museum +uscountryestate.museum +usculture.museum +usdecorativearts.museum +usgarden.museum +ushistory.museum +ushuaia.museum +uslivinghistory.museum +utah.museum +uvic.museum +valley.museum +vantaa.museum +versailles.museum +viking.museum +village.museum +virginia.museum +virtual.museum +virtuel.museum +vlaanderen.museum +volkenkunde.museum +wales.museum +wallonie.museum +war.museum +washingtondc.museum +watchandclock.museum +watch-and-clock.museum +western.museum +westfalen.museum +whaling.museum +wildlife.museum +williamsburg.museum +windmill.museum +workshop.museum +york.museum +yorkshire.museum +yosemite.museum +youth.museum +zoological.museum +zoology.museum +ירושלים.museum +иком.museum + +// mv : http://en.wikipedia.org/wiki/.mv +// "mv" included because, contra Wikipedia, google.mv exists. +mv +aero.mv +biz.mv +com.mv +coop.mv +edu.mv +gov.mv +info.mv +int.mv +mil.mv +museum.mv +name.mv +net.mv +org.mv +pro.mv + +// mw : http://www.registrar.mw/ +mw +ac.mw +biz.mw +co.mw +com.mw +coop.mw +edu.mw +gov.mw +int.mw +museum.mw +net.mw +org.mw + +// mx : http://www.nic.mx/ +// Submitted by registry 2008-06-19 +mx +com.mx +org.mx +gob.mx +edu.mx +net.mx + +// my : http://www.mynic.net.my/ +my +com.my +net.my +org.my +gov.my +edu.my +mil.my +name.my + +// mz : http://www.gobin.info/domainname/mz-template.doc +*.mz +!teledata.mz + +// na : http://www.na-nic.com.na/ +// http://www.info.na/domain/ +na +info.na +pro.na +name.na +school.na +or.na +dr.na +us.na +mx.na +ca.na +in.na +cc.na +tv.na +ws.na +mobi.na +co.na +com.na +org.na + +// name : has 2nd-level tlds, but there's no list of them +name + +// nc : http://www.cctld.nc/ +nc +asso.nc + +// ne : http://en.wikipedia.org/wiki/.ne +ne + +// net : http://en.wikipedia.org/wiki/.net +net + +// nf : http://en.wikipedia.org/wiki/.nf +nf +com.nf +net.nf +per.nf +rec.nf +web.nf +arts.nf +firm.nf +info.nf +other.nf +store.nf + +// ng : http://psg.com/dns/ng/ +ng +com.ng +edu.ng +name.ng +net.ng +org.ng +sch.ng +gov.ng +mil.ng +mobi.ng + +// ni : http://www.nic.ni/dominios.htm +*.ni + +// nl : http://www.domain-registry.nl/ace.php/c,728,122,,,,Home.html +// Confirmed by registry (with technical +// reservations) 2008-06-08 +nl + +// BV.nl will be a registry for dutch BV's (besloten vennootschap) +bv.nl + +// no : http://www.norid.no/regelverk/index.en.html +// The Norwegian registry has declined to notify us of updates. The web pages +// referenced below are the official source of the data. There is also an +// announce mailing list: +// https://postlister.uninett.no/sympa/info/norid-diskusjon +no +// Norid generic domains : http://www.norid.no/regelverk/vedlegg-c.en.html +fhs.no +vgs.no +fylkesbibl.no +folkebibl.no +museum.no +idrett.no +priv.no +// Non-Norid generic domains : http://www.norid.no/regelverk/vedlegg-d.en.html +mil.no +stat.no +dep.no +kommune.no +herad.no +// no geographical names : http://www.norid.no/regelverk/vedlegg-b.en.html +// counties +aa.no +ah.no +bu.no +fm.no +hl.no +hm.no +jan-mayen.no +mr.no +nl.no +nt.no +of.no +ol.no +oslo.no +rl.no +sf.no +st.no +svalbard.no +tm.no +tr.no +va.no +vf.no +// primary and lower secondary schools per county +gs.aa.no +gs.ah.no +gs.bu.no +gs.fm.no +gs.hl.no +gs.hm.no +gs.jan-mayen.no +gs.mr.no +gs.nl.no +gs.nt.no +gs.of.no +gs.ol.no +gs.oslo.no +gs.rl.no +gs.sf.no +gs.st.no +gs.svalbard.no +gs.tm.no +gs.tr.no +gs.va.no +gs.vf.no +// cities +akrehamn.no +åkrehamn.no +algard.no +ålgård.no +arna.no +brumunddal.no +bryne.no +bronnoysund.no +brønnøysund.no +drobak.no +drøbak.no +egersund.no +fetsund.no +floro.no +florø.no +fredrikstad.no +hokksund.no +honefoss.no +hønefoss.no +jessheim.no +jorpeland.no +jørpeland.no +kirkenes.no +kopervik.no +krokstadelva.no +langevag.no +langevåg.no +leirvik.no +mjondalen.no +mjøndalen.no +mo-i-rana.no +mosjoen.no +mosjøen.no +nesoddtangen.no +orkanger.no +osoyro.no +osøyro.no +raholt.no +råholt.no +sandnessjoen.no +sandnessjøen.no +skedsmokorset.no +slattum.no +spjelkavik.no +stathelle.no +stavern.no +stjordalshalsen.no +stjørdalshalsen.no +tananger.no +tranby.no +vossevangen.no +// communities +afjord.no +åfjord.no +agdenes.no +al.no +ål.no +alesund.no +ålesund.no +alstahaug.no +alta.no +áltá.no +alaheadju.no +álaheadju.no +alvdal.no +amli.no +åmli.no +amot.no +åmot.no +andebu.no +andoy.no +andøy.no +andasuolo.no +ardal.no +årdal.no +aremark.no +arendal.no +ås.no +aseral.no +åseral.no +asker.no +askim.no +askvoll.no +askoy.no +askøy.no +asnes.no +åsnes.no +audnedaln.no +aukra.no +aure.no +aurland.no +aurskog-holand.no +aurskog-høland.no +austevoll.no +austrheim.no +averoy.no +averøy.no +balestrand.no +ballangen.no +balat.no +bálát.no +balsfjord.no +bahccavuotna.no +báhccavuotna.no +bamble.no +bardu.no +beardu.no +beiarn.no +bajddar.no +bájddar.no +baidar.no +báidár.no +berg.no +bergen.no +berlevag.no +berlevåg.no +bearalvahki.no +bearalváhki.no +bindal.no +birkenes.no +bjarkoy.no +bjarkøy.no +bjerkreim.no +bjugn.no +bodo.no +bodø.no +badaddja.no +bådåddjå.no +budejju.no +bokn.no +bremanger.no +bronnoy.no +brønnøy.no +bygland.no +bykle.no +barum.no +bærum.no +bo.telemark.no +bø.telemark.no +bo.nordland.no +bø.nordland.no +bievat.no +bievát.no +bomlo.no +bømlo.no +batsfjord.no +båtsfjord.no +bahcavuotna.no +báhcavuotna.no +dovre.no +drammen.no +drangedal.no +dyroy.no +dyrøy.no +donna.no +dønna.no +eid.no +eidfjord.no +eidsberg.no +eidskog.no +eidsvoll.no +eigersund.no +elverum.no +enebakk.no +engerdal.no +etne.no +etnedal.no +evenes.no +evenassi.no +evenášši.no +evje-og-hornnes.no +farsund.no +fauske.no +fuossko.no +fuoisku.no +fedje.no +fet.no +finnoy.no +finnøy.no +fitjar.no +fjaler.no +fjell.no +flakstad.no +flatanger.no +flekkefjord.no +flesberg.no +flora.no +fla.no +flå.no +folldal.no +forsand.no +fosnes.no +frei.no +frogn.no +froland.no +frosta.no +frana.no +fræna.no +froya.no +frøya.no +fusa.no +fyresdal.no +forde.no +førde.no +gamvik.no +gangaviika.no +gáŋgaviika.no +gaular.no +gausdal.no +gildeskal.no +gildeskål.no +giske.no +gjemnes.no +gjerdrum.no +gjerstad.no +gjesdal.no +gjovik.no +gjøvik.no +gloppen.no +gol.no +gran.no +grane.no +granvin.no +gratangen.no +grimstad.no +grong.no +kraanghke.no +kråanghke.no +grue.no +gulen.no +hadsel.no +halden.no +halsa.no +hamar.no +hamaroy.no +habmer.no +hábmer.no +hapmir.no +hápmir.no +hammerfest.no +hammarfeasta.no +hámmárfeasta.no +haram.no +hareid.no +harstad.no +hasvik.no +aknoluokta.no +ákŋoluokta.no +hattfjelldal.no +aarborte.no +haugesund.no +hemne.no +hemnes.no +hemsedal.no +heroy.more-og-romsdal.no +herøy.møre-og-romsdal.no +heroy.nordland.no +herøy.nordland.no +hitra.no +hjartdal.no +hjelmeland.no +hobol.no +hobøl.no +hof.no +hol.no +hole.no +holmestrand.no +holtalen.no +holtålen.no +hornindal.no +horten.no +hurdal.no +hurum.no +hvaler.no +hyllestad.no +hagebostad.no +hægebostad.no +hoyanger.no +høyanger.no +hoylandet.no +høylandet.no +ha.no +hå.no +ibestad.no +inderoy.no +inderøy.no +iveland.no +jevnaker.no +jondal.no +jolster.no +jølster.no +karasjok.no +karasjohka.no +kárášjohka.no +karlsoy.no +galsa.no +gálsá.no +karmoy.no +karmøy.no +kautokeino.no +guovdageaidnu.no +klepp.no +klabu.no +klæbu.no +kongsberg.no +kongsvinger.no +kragero.no +kragerø.no +kristiansand.no +kristiansund.no +krodsherad.no +krødsherad.no +kvalsund.no +rahkkeravju.no +ráhkkerávju.no +kvam.no +kvinesdal.no +kvinnherad.no +kviteseid.no +kvitsoy.no +kvitsøy.no +kvafjord.no +kvæfjord.no +giehtavuoatna.no +kvanangen.no +kvænangen.no +navuotna.no +návuotna.no +kafjord.no +kåfjord.no +gaivuotna.no +gáivuotna.no +larvik.no +lavangen.no +lavagis.no +loabat.no +loabát.no +lebesby.no +davvesiida.no +leikanger.no +leirfjord.no +leka.no +leksvik.no +lenvik.no +leangaviika.no +leaŋgaviika.no +lesja.no +levanger.no +lier.no +lierne.no +lillehammer.no +lillesand.no +lindesnes.no +lindas.no +lindås.no +lom.no +loppa.no +lahppi.no +láhppi.no +lund.no +lunner.no +luroy.no +lurøy.no +luster.no +lyngdal.no +lyngen.no +ivgu.no +lardal.no +lerdal.no +lærdal.no +lodingen.no +lødingen.no +lorenskog.no +lørenskog.no +loten.no +løten.no +malvik.no +masoy.no +måsøy.no +muosat.no +muosát.no +mandal.no +marker.no +marnardal.no +masfjorden.no +meland.no +meldal.no +melhus.no +meloy.no +meløy.no +meraker.no +meråker.no +moareke.no +moåreke.no +midsund.no +midtre-gauldal.no +modalen.no +modum.no +molde.no +moskenes.no +moss.no +mosvik.no +malselv.no +målselv.no +malatvuopmi.no +málatvuopmi.no +namdalseid.no +aejrie.no +namsos.no +namsskogan.no +naamesjevuemie.no +nååmesjevuemie.no +laakesvuemie.no +nannestad.no +narvik.no +narviika.no +naustdal.no +nedre-eiker.no +nes.akershus.no +nes.buskerud.no +nesna.no +nesodden.no +nesseby.no +unjarga.no +unjárga.no +nesset.no +nissedal.no +nittedal.no +nord-aurdal.no +nord-fron.no +nord-odal.no +norddal.no +nordkapp.no +davvenjarga.no +davvenjárga.no +nordre-land.no +nordreisa.no +raisa.no +ráisa.no +nore-og-uvdal.no +notodden.no +naroy.no +nærøy.no +notteroy.no +nøtterøy.no +odda.no +oksnes.no +øksnes.no +oppdal.no +oppegard.no +oppegård.no +orkdal.no +orland.no +ørland.no +orskog.no +ørskog.no +orsta.no +ørsta.no +os.hedmark.no +os.hordaland.no +osen.no +osteroy.no +osterøy.no +ostre-toten.no +østre-toten.no +overhalla.no +ovre-eiker.no +øvre-eiker.no +oyer.no +øyer.no +oygarden.no +øygarden.no +oystre-slidre.no +øystre-slidre.no +porsanger.no +porsangu.no +porsáŋgu.no +porsgrunn.no +radoy.no +radøy.no +rakkestad.no +rana.no +ruovat.no +randaberg.no +rauma.no +rendalen.no +rennebu.no +rennesoy.no +rennesøy.no +rindal.no +ringebu.no +ringerike.no +ringsaker.no +rissa.no +risor.no +risør.no +roan.no +rollag.no +rygge.no +ralingen.no +rælingen.no +rodoy.no +rødøy.no +romskog.no +rømskog.no +roros.no +røros.no +rost.no +røst.no +royken.no +røyken.no +royrvik.no +røyrvik.no +rade.no +råde.no +salangen.no +siellak.no +saltdal.no +salat.no +sálát.no +sálat.no +samnanger.no +sande.more-og-romsdal.no +sande.møre-og-romsdal.no +sande.vestfold.no +sandefjord.no +sandnes.no +sandoy.no +sandøy.no +sarpsborg.no +sauda.no +sauherad.no +sel.no +selbu.no +selje.no +seljord.no +sigdal.no +siljan.no +sirdal.no +skaun.no +skedsmo.no +ski.no +skien.no +skiptvet.no +skjervoy.no +skjervøy.no +skierva.no +skiervá.no +skjak.no +skjåk.no +skodje.no +skanland.no +skånland.no +skanit.no +skánit.no +smola.no +smøla.no +snillfjord.no +snasa.no +snåsa.no +snoasa.no +snaase.no +snåase.no +sogndal.no +sokndal.no +sola.no +solund.no +songdalen.no +sortland.no +spydeberg.no +stange.no +stavanger.no +steigen.no +steinkjer.no +stjordal.no +stjørdal.no +stokke.no +stor-elvdal.no +stord.no +stordal.no +storfjord.no +omasvuotna.no +strand.no +stranda.no +stryn.no +sula.no +suldal.no +sund.no +sunndal.no +surnadal.no +sveio.no +svelvik.no +sykkylven.no +sogne.no +søgne.no +somna.no +sømna.no +sondre-land.no +søndre-land.no +sor-aurdal.no +sør-aurdal.no +sor-fron.no +sør-fron.no +sor-odal.no +sør-odal.no +sor-varanger.no +sør-varanger.no +matta-varjjat.no +mátta-várjjat.no +sorfold.no +sørfold.no +sorreisa.no +sørreisa.no +sorum.no +sørum.no +tana.no +deatnu.no +time.no +tingvoll.no +tinn.no +tjeldsund.no +dielddanuorri.no +tjome.no +tjøme.no +tokke.no +tolga.no +torsken.no +tranoy.no +tranøy.no +tromso.no +tromsø.no +tromsa.no +romsa.no +trondheim.no +troandin.no +trysil.no +trana.no +træna.no +trogstad.no +trøgstad.no +tvedestrand.no +tydal.no +tynset.no +tysfjord.no +divtasvuodna.no +divttasvuotna.no +tysnes.no +tysvar.no +tysvær.no +tonsberg.no +tønsberg.no +ullensaker.no +ullensvang.no +ulvik.no +utsira.no +vadso.no +vadsø.no +cahcesuolo.no +čáhcesuolo.no +vaksdal.no +valle.no +vang.no +vanylven.no +vardo.no +vardø.no +varggat.no +várggát.no +vefsn.no +vaapste.no +vega.no +vegarshei.no +vegårshei.no +vennesla.no +verdal.no +verran.no +vestby.no +vestnes.no +vestre-slidre.no +vestre-toten.no +vestvagoy.no +vestvågøy.no +vevelstad.no +vik.no +vikna.no +vindafjord.no +volda.no +voss.no +varoy.no +værøy.no +vagan.no +vågan.no +voagat.no +vagsoy.no +vågsøy.no +vaga.no +vågå.no +valer.ostfold.no +våler.østfold.no +valer.hedmark.no +våler.hedmark.no + +// np : http://www.mos.com.np/register.html +*.np + +// nr : http://cenpac.net.nr/dns/index.html +// Confirmed by registry 2008-06-17 +nr +biz.nr +info.nr +gov.nr +edu.nr +org.nr +net.nr +com.nr + +// nu : http://en.wikipedia.org/wiki/.nu +nu + +// nz : http://en.wikipedia.org/wiki/.nz +// Confirmed by registry 2014-05-19 +nz +ac.nz +co.nz +cri.nz +geek.nz +gen.nz +govt.nz +health.nz +iwi.nz +kiwi.nz +maori.nz +mil.nz +māori.nz +net.nz +org.nz +parliament.nz +school.nz + +// om : http://en.wikipedia.org/wiki/.om +om +co.om +com.om +edu.om +gov.om +med.om +museum.om +net.om +org.om +pro.om + +// org : http://en.wikipedia.org/wiki/.org +org + +// pa : http://www.nic.pa/ +// Some additional second level "domains" resolve directly as hostnames, such as +// pannet.pa, so we add a rule for "pa". +pa +ac.pa +gob.pa +com.pa +org.pa +sld.pa +edu.pa +net.pa +ing.pa +abo.pa +med.pa +nom.pa + +// pe : https://www.nic.pe/InformeFinalComision.pdf +pe +edu.pe +gob.pe +nom.pe +mil.pe +org.pe +com.pe +net.pe + +// pf : http://www.gobin.info/domainname/formulaire-pf.pdf +pf +com.pf +org.pf +edu.pf + +// pg : http://en.wikipedia.org/wiki/.pg +*.pg + +// ph : http://www.domains.ph/FAQ2.asp +// Submitted by registry 2008-06-13 +ph +com.ph +net.ph +org.ph +gov.ph +edu.ph +ngo.ph +mil.ph +i.ph + +// pk : http://pk5.pknic.net.pk/pk5/msgNamepk.PK +pk +com.pk +net.pk +edu.pk +org.pk +fam.pk +biz.pk +web.pk +gov.pk +gob.pk +gok.pk +gon.pk +gop.pk +gos.pk +info.pk + +// pl http://www.dns.pl/english/index.html +// confirmed on 26.09.2014 from Bogna Tchórzewska +pl +com.pl +net.pl +org.pl +info.pl +waw.pl +gov.pl +// pl functional domains (http://www.dns.pl/english/index.html) +aid.pl +agro.pl +atm.pl +auto.pl +biz.pl +edu.pl +gmina.pl +gsm.pl +mail.pl +miasta.pl +media.pl +mil.pl +nieruchomosci.pl +nom.pl +pc.pl +powiat.pl +priv.pl +realestate.pl +rel.pl +sex.pl +shop.pl +sklep.pl +sos.pl +szkola.pl +targi.pl +tm.pl +tourism.pl +travel.pl +turystyka.pl +// Government domains (administred by ippt.gov.pl) +uw.gov.pl +um.gov.pl +ug.gov.pl +upow.gov.pl +starostwo.gov.pl +so.gov.pl +sr.gov.pl +po.gov.pl +pa.gov.pl +// pl regional domains (http://www.dns.pl/english/index.html) +augustow.pl +babia-gora.pl +bedzin.pl +beskidy.pl +bialowieza.pl +bialystok.pl +bielawa.pl +bieszczady.pl +boleslawiec.pl +bydgoszcz.pl +bytom.pl +cieszyn.pl +czeladz.pl +czest.pl +dlugoleka.pl +elblag.pl +elk.pl +glogow.pl +gniezno.pl +gorlice.pl +grajewo.pl +ilawa.pl +jaworzno.pl +jelenia-gora.pl +jgora.pl +kalisz.pl +kazimierz-dolny.pl +karpacz.pl +kartuzy.pl +kaszuby.pl +katowice.pl +kepno.pl +ketrzyn.pl +klodzko.pl +kobierzyce.pl +kolobrzeg.pl +konin.pl +konskowola.pl +kutno.pl +lapy.pl +lebork.pl +legnica.pl +lezajsk.pl +limanowa.pl +lomza.pl +lowicz.pl +lubin.pl +lukow.pl +malbork.pl +malopolska.pl +mazowsze.pl +mazury.pl +mielec.pl +mielno.pl +mragowo.pl +naklo.pl +nowaruda.pl +nysa.pl +olawa.pl +olecko.pl +olkusz.pl +olsztyn.pl +opoczno.pl +opole.pl +ostroda.pl +ostroleka.pl +ostrowiec.pl +ostrowwlkp.pl +pila.pl +pisz.pl +podhale.pl +podlasie.pl +polkowice.pl +pomorze.pl +pomorskie.pl +prochowice.pl +pruszkow.pl +przeworsk.pl +pulawy.pl +radom.pl +rawa-maz.pl +rybnik.pl +rzeszow.pl +sanok.pl +sejny.pl +slask.pl +slupsk.pl +sosnowiec.pl +stalowa-wola.pl +skoczow.pl +starachowice.pl +stargard.pl +suwalki.pl +swidnica.pl +swiebodzin.pl +swinoujscie.pl +szczecin.pl +szczytno.pl +tarnobrzeg.pl +tgory.pl +turek.pl +tychy.pl +ustka.pl +walbrzych.pl +warmia.pl +warszawa.pl +wegrow.pl +wielun.pl +wlocl.pl +wloclawek.pl +wodzislaw.pl +wolomin.pl +wroclaw.pl +zachpomor.pl +zagan.pl +zarow.pl +zgora.pl +zgorzelec.pl + +// pm : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +pm + +// pn : http://www.government.pn/PnRegistry/policies.htm +pn +gov.pn +co.pn +org.pn +edu.pn +net.pn + +// post : http://en.wikipedia.org/wiki/.post +post + +// pr : http://www.nic.pr/index.asp?f=1 +pr +com.pr +net.pr +org.pr +gov.pr +edu.pr +isla.pr +pro.pr +biz.pr +info.pr +name.pr +// these aren't mentioned on nic.pr, but on http://en.wikipedia.org/wiki/.pr +est.pr +prof.pr +ac.pr + +// pro : http://www.nic.pro/support_faq.htm +pro +aca.pro +bar.pro +cpa.pro +jur.pro +law.pro +med.pro +eng.pro + +// ps : http://en.wikipedia.org/wiki/.ps +// http://www.nic.ps/registration/policy.html#reg +ps +edu.ps +gov.ps +sec.ps +plo.ps +com.ps +org.ps +net.ps + +// pt : http://online.dns.pt/dns/start_dns +pt +net.pt +gov.pt +org.pt +edu.pt +int.pt +publ.pt +com.pt +nome.pt + +// pw : http://en.wikipedia.org/wiki/.pw +pw +co.pw +ne.pw +or.pw +ed.pw +go.pw +belau.pw + +// py : http://www.nic.py/pautas.html#seccion_9 +// Confirmed by registry 2012-10-03 +py +com.py +coop.py +edu.py +gov.py +mil.py +net.py +org.py + +// qa : http://domains.qa/en/ +qa +com.qa +edu.qa +gov.qa +mil.qa +name.qa +net.qa +org.qa +sch.qa + +// re : http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs +re +com.re +asso.re +nom.re + +// ro : http://www.rotld.ro/ +ro +com.ro +org.ro +tm.ro +nt.ro +nom.ro +info.ro +rec.ro +arts.ro +firm.ro +store.ro +www.ro + +// rs : http://en.wikipedia.org/wiki/.rs +rs +co.rs +org.rs +edu.rs +ac.rs +gov.rs +in.rs + +// ru : http://www.cctld.ru/ru/docs/aktiv_8.php +// Industry domains +ru +ac.ru +com.ru +edu.ru +int.ru +net.ru +org.ru +pp.ru +// Geographical domains +adygeya.ru +altai.ru +amur.ru +arkhangelsk.ru +astrakhan.ru +bashkiria.ru +belgorod.ru +bir.ru +bryansk.ru +buryatia.ru +cbg.ru +chel.ru +chelyabinsk.ru +chita.ru +chukotka.ru +chuvashia.ru +dagestan.ru +dudinka.ru +e-burg.ru +grozny.ru +irkutsk.ru +ivanovo.ru +izhevsk.ru +jar.ru +joshkar-ola.ru +kalmykia.ru +kaluga.ru +kamchatka.ru +karelia.ru +kazan.ru +kchr.ru +kemerovo.ru +khabarovsk.ru +khakassia.ru +khv.ru +kirov.ru +koenig.ru +komi.ru +kostroma.ru +krasnoyarsk.ru +kuban.ru +kurgan.ru +kursk.ru +lipetsk.ru +magadan.ru +mari.ru +mari-el.ru +marine.ru +mordovia.ru +// mosreg.ru Bug 1090800 - removed at request of Aleksey Konstantinov +msk.ru +murmansk.ru +nalchik.ru +nnov.ru +nov.ru +novosibirsk.ru +nsk.ru +omsk.ru +orenburg.ru +oryol.ru +palana.ru +penza.ru +perm.ru +ptz.ru +rnd.ru +ryazan.ru +sakhalin.ru +samara.ru +saratov.ru +simbirsk.ru +smolensk.ru +spb.ru +stavropol.ru +stv.ru +surgut.ru +tambov.ru +tatarstan.ru +tom.ru +tomsk.ru +tsaritsyn.ru +tsk.ru +tula.ru +tuva.ru +tver.ru +tyumen.ru +udm.ru +udmurtia.ru +ulan-ude.ru +vladikavkaz.ru +vladimir.ru +vladivostok.ru +volgograd.ru +vologda.ru +voronezh.ru +vrn.ru +vyatka.ru +yakutia.ru +yamal.ru +yaroslavl.ru +yekaterinburg.ru +yuzhno-sakhalinsk.ru +// More geographical domains +amursk.ru +baikal.ru +cmw.ru +fareast.ru +jamal.ru +kms.ru +k-uralsk.ru +kustanai.ru +kuzbass.ru +magnitka.ru +mytis.ru +nakhodka.ru +nkz.ru +norilsk.ru +oskol.ru +pyatigorsk.ru +rubtsovsk.ru +snz.ru +syzran.ru +vdonsk.ru +zgrad.ru +// State domains +gov.ru +mil.ru +// Technical domains +test.ru + +// rw : http://www.nic.rw/cgi-bin/policy.pl +rw +gov.rw +net.rw +edu.rw +ac.rw +com.rw +co.rw +int.rw +mil.rw +gouv.rw + +// sa : http://www.nic.net.sa/ +sa +com.sa +net.sa +org.sa +gov.sa +med.sa +pub.sa +edu.sa +sch.sa + +// sb : http://www.sbnic.net.sb/ +// Submitted by registry 2008-06-08 +sb +com.sb +edu.sb +gov.sb +net.sb +org.sb + +// sc : http://www.nic.sc/ +sc +com.sc +gov.sc +net.sc +org.sc +edu.sc + +// sd : http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm +// Submitted by registry 2008-06-17 +sd +com.sd +net.sd +org.sd +edu.sd +med.sd +tv.sd +gov.sd +info.sd + +// se : http://en.wikipedia.org/wiki/.se +// Submitted by registry 2014-03-18 +se +a.se +ac.se +b.se +bd.se +brand.se +c.se +d.se +e.se +f.se +fh.se +fhsk.se +fhv.se +g.se +h.se +i.se +k.se +komforb.se +kommunalforbund.se +komvux.se +l.se +lanbib.se +m.se +n.se +naturbruksgymn.se +o.se +org.se +p.se +parti.se +pp.se +press.se +r.se +s.se +t.se +tm.se +u.se +w.se +x.se +y.se +z.se + +// sg : http://www.nic.net.sg/page/registration-policies-procedures-and-guidelines +sg +com.sg +net.sg +org.sg +gov.sg +edu.sg +per.sg + +// sh : http://www.nic.sh/registrar.html +sh +com.sh +net.sh +gov.sh +org.sh +mil.sh + +// si : http://en.wikipedia.org/wiki/.si +si + +// sj : No registrations at this time. +// Submitted by registry 2008-06-16 +sj + +// sk : http://en.wikipedia.org/wiki/.sk +// list of 2nd level domains ? +sk + +// sl : http://www.nic.sl +// Submitted by registry 2008-06-12 +sl +com.sl +net.sl +edu.sl +gov.sl +org.sl + +// sm : http://en.wikipedia.org/wiki/.sm +sm + +// sn : http://en.wikipedia.org/wiki/.sn +sn +art.sn +com.sn +edu.sn +gouv.sn +org.sn +perso.sn +univ.sn + +// so : http://www.soregistry.com/ +so +com.so +net.so +org.so + +// sr : http://en.wikipedia.org/wiki/.sr +sr + +// st : http://www.nic.st/html/policyrules/ +st +co.st +com.st +consulado.st +edu.st +embaixada.st +gov.st +mil.st +net.st +org.st +principe.st +saotome.st +store.st + +// su : http://en.wikipedia.org/wiki/.su +su + +// sv : http://www.svnet.org.sv/niveldos.pdf +sv +com.sv +edu.sv +gob.sv +org.sv +red.sv + +// sx : http://en.wikipedia.org/wiki/.sx +// Confirmed by registry 2012-05-31 +sx +gov.sx + +// sy : http://en.wikipedia.org/wiki/.sy +// see also: http://www.gobin.info/domainname/sy.doc +sy +edu.sy +gov.sy +net.sy +mil.sy +com.sy +org.sy + +// sz : http://en.wikipedia.org/wiki/.sz +// http://www.sispa.org.sz/ +sz +co.sz +ac.sz +org.sz + +// tc : http://en.wikipedia.org/wiki/.tc +tc + +// td : http://en.wikipedia.org/wiki/.td +td + +// tel: http://en.wikipedia.org/wiki/.tel +// http://www.telnic.org/ +tel + +// tf : http://en.wikipedia.org/wiki/.tf +tf + +// tg : http://en.wikipedia.org/wiki/.tg +// http://www.nic.tg/ +tg + +// th : http://en.wikipedia.org/wiki/.th +// Submitted by registry 2008-06-17 +th +ac.th +co.th +go.th +in.th +mi.th +net.th +or.th + +// tj : http://www.nic.tj/policy.html +tj +ac.tj +biz.tj +co.tj +com.tj +edu.tj +go.tj +gov.tj +int.tj +mil.tj +name.tj +net.tj +nic.tj +org.tj +test.tj +web.tj + +// tk : http://en.wikipedia.org/wiki/.tk +tk + +// tl : http://en.wikipedia.org/wiki/.tl +tl +gov.tl + +// tm : http://www.nic.tm/local.html +tm +com.tm +co.tm +org.tm +net.tm +nom.tm +gov.tm +mil.tm +edu.tm + +// tn : http://en.wikipedia.org/wiki/.tn +// http://whois.ati.tn/ +tn +com.tn +ens.tn +fin.tn +gov.tn +ind.tn +intl.tn +nat.tn +net.tn +org.tn +info.tn +perso.tn +tourism.tn +edunet.tn +rnrt.tn +rns.tn +rnu.tn +mincom.tn +agrinet.tn +defense.tn +turen.tn + +// to : http://en.wikipedia.org/wiki/.to +// Submitted by registry 2008-06-17 +to +com.to +gov.to +net.to +org.to +edu.to +mil.to + +// tp : No registrations at this time. +// Submitted by Ryan Sleevi 2014-01-03 +tp + +// subTLDs: https://www.nic.tr/forms/eng/policies.pdf +// and: https://www.nic.tr/forms/politikalar.pdf +// Submitted by 2014-07-19 +tr +com.tr +info.tr +biz.tr +net.tr +org.tr +web.tr +gen.tr +tv.tr +av.tr +dr.tr +bbs.tr +name.tr +tel.tr +gov.tr +bel.tr +pol.tr +mil.tr +k12.tr +edu.tr +kep.tr + +// Used by Northern Cyprus +nc.tr + +// Used by government agencies of Northern Cyprus +gov.nc.tr + +// travel : http://en.wikipedia.org/wiki/.travel +travel + +// tt : http://www.nic.tt/ +tt +co.tt +com.tt +org.tt +net.tt +biz.tt +info.tt +pro.tt +int.tt +coop.tt +jobs.tt +mobi.tt +travel.tt +museum.tt +aero.tt +name.tt +gov.tt +edu.tt + +// tv : http://en.wikipedia.org/wiki/.tv +// Not listing any 2LDs as reserved since none seem to exist in practice, +// Wikipedia notwithstanding. +tv + +// tw : http://en.wikipedia.org/wiki/.tw +tw +edu.tw +gov.tw +mil.tw +com.tw +net.tw +org.tw +idv.tw +game.tw +ebiz.tw +club.tw +網路.tw +組織.tw +商業.tw + +// tz : http://www.tznic.or.tz/index.php/domains +// Confirmed by registry 2013-01-22 +tz +ac.tz +co.tz +go.tz +hotel.tz +info.tz +me.tz +mil.tz +mobi.tz +ne.tz +or.tz +sc.tz +tv.tz + +// ua : https://hostmaster.ua/policy/?ua +// Submitted by registry 2012-04-27 +ua +// ua 2LD +com.ua +edu.ua +gov.ua +in.ua +net.ua +org.ua +// ua geographic names +// https://hostmaster.ua/2ld/ +cherkassy.ua +cherkasy.ua +chernigov.ua +chernihiv.ua +chernivtsi.ua +chernovtsy.ua +ck.ua +cn.ua +cr.ua +crimea.ua +cv.ua +dn.ua +dnepropetrovsk.ua +dnipropetrovsk.ua +dominic.ua +donetsk.ua +dp.ua +if.ua +ivano-frankivsk.ua +kh.ua +kharkiv.ua +kharkov.ua +kherson.ua +khmelnitskiy.ua +khmelnytskyi.ua +kiev.ua +kirovograd.ua +km.ua +kr.ua +krym.ua +ks.ua +kv.ua +kyiv.ua +lg.ua +lt.ua +lugansk.ua +lutsk.ua +lv.ua +lviv.ua +mk.ua +mykolaiv.ua +nikolaev.ua +od.ua +odesa.ua +odessa.ua +pl.ua +poltava.ua +rivne.ua +rovno.ua +rv.ua +sb.ua +sebastopol.ua +sevastopol.ua +sm.ua +sumy.ua +te.ua +ternopil.ua +uz.ua +uzhgorod.ua +vinnica.ua +vinnytsia.ua +vn.ua +volyn.ua +yalta.ua +zaporizhzhe.ua +zaporizhzhia.ua +zhitomir.ua +zhytomyr.ua +zp.ua +zt.ua + +// Private registries in .ua +co.ua +pp.ua + +// ug : https://www.registry.co.ug/ +ug +co.ug +or.ug +ac.ug +sc.ug +go.ug +ne.ug +com.ug +org.ug + +// uk : http://en.wikipedia.org/wiki/.uk +// Submitted by registry +uk +ac.uk +co.uk +gov.uk +ltd.uk +me.uk +net.uk +nhs.uk +org.uk +plc.uk +police.uk +*.sch.uk + +// us : http://en.wikipedia.org/wiki/.us +us +dni.us +fed.us +isa.us +kids.us +nsn.us +// us geographic names +ak.us +al.us +ar.us +as.us +az.us +ca.us +co.us +ct.us +dc.us +de.us +fl.us +ga.us +gu.us +hi.us +ia.us +id.us +il.us +in.us +ks.us +ky.us +la.us +ma.us +md.us +me.us +mi.us +mn.us +mo.us +ms.us +mt.us +nc.us +nd.us +ne.us +nh.us +nj.us +nm.us +nv.us +ny.us +oh.us +ok.us +or.us +pa.us +pr.us +ri.us +sc.us +sd.us +tn.us +tx.us +ut.us +vi.us +vt.us +va.us +wa.us +wi.us +wv.us +wy.us +// The registrar notes several more specific domains available in each state, +// such as state.*.us, dst.*.us, etc., but resolution of these is somewhat +// haphazard; in some states these domains resolve as addresses, while in others +// only subdomains are available, or even nothing at all. We include the +// most common ones where it's clear that different sites are different +// entities. +k12.ak.us +k12.al.us +k12.ar.us +k12.as.us +k12.az.us +k12.ca.us +k12.co.us +k12.ct.us +k12.dc.us +k12.de.us +k12.fl.us +k12.ga.us +k12.gu.us +// k12.hi.us Bug 614565 - Hawaii has a state-wide DOE login +k12.ia.us +k12.id.us +k12.il.us +k12.in.us +k12.ks.us +k12.ky.us +k12.la.us +k12.ma.us +k12.md.us +k12.me.us +k12.mi.us +k12.mn.us +k12.mo.us +k12.ms.us +k12.mt.us +k12.nc.us +// k12.nd.us Bug 1028347 - Removed at request of Travis Rosso +k12.ne.us +k12.nh.us +k12.nj.us +k12.nm.us +k12.nv.us +k12.ny.us +k12.oh.us +k12.ok.us +k12.or.us +k12.pa.us +k12.pr.us +k12.ri.us +k12.sc.us +// k12.sd.us Bug 934131 - Removed at request of James Booze +k12.tn.us +k12.tx.us +k12.ut.us +k12.vi.us +k12.vt.us +k12.va.us +k12.wa.us +k12.wi.us +// k12.wv.us Bug 947705 - Removed at request of Verne Britton +k12.wy.us +cc.ak.us +cc.al.us +cc.ar.us +cc.as.us +cc.az.us +cc.ca.us +cc.co.us +cc.ct.us +cc.dc.us +cc.de.us +cc.fl.us +cc.ga.us +cc.gu.us +cc.hi.us +cc.ia.us +cc.id.us +cc.il.us +cc.in.us +cc.ks.us +cc.ky.us +cc.la.us +cc.ma.us +cc.md.us +cc.me.us +cc.mi.us +cc.mn.us +cc.mo.us +cc.ms.us +cc.mt.us +cc.nc.us +cc.nd.us +cc.ne.us +cc.nh.us +cc.nj.us +cc.nm.us +cc.nv.us +cc.ny.us +cc.oh.us +cc.ok.us +cc.or.us +cc.pa.us +cc.pr.us +cc.ri.us +cc.sc.us +cc.sd.us +cc.tn.us +cc.tx.us +cc.ut.us +cc.vi.us +cc.vt.us +cc.va.us +cc.wa.us +cc.wi.us +cc.wv.us +cc.wy.us +lib.ak.us +lib.al.us +lib.ar.us +lib.as.us +lib.az.us +lib.ca.us +lib.co.us +lib.ct.us +lib.dc.us +lib.de.us +lib.fl.us +lib.ga.us +lib.gu.us +lib.hi.us +lib.ia.us +lib.id.us +lib.il.us +lib.in.us +lib.ks.us +lib.ky.us +lib.la.us +lib.ma.us +lib.md.us +lib.me.us +lib.mi.us +lib.mn.us +lib.mo.us +lib.ms.us +lib.mt.us +lib.nc.us +lib.nd.us +lib.ne.us +lib.nh.us +lib.nj.us +lib.nm.us +lib.nv.us +lib.ny.us +lib.oh.us +lib.ok.us +lib.or.us +lib.pa.us +lib.pr.us +lib.ri.us +lib.sc.us +lib.sd.us +lib.tn.us +lib.tx.us +lib.ut.us +lib.vi.us +lib.vt.us +lib.va.us +lib.wa.us +lib.wi.us +// lib.wv.us Bug 941670 - Removed at request of Larry W Arnold +lib.wy.us +// k12.ma.us contains school districts in Massachusetts. The 4LDs are +// managed indepedently except for private (PVT), charter (CHTR) and +// parochial (PAROCH) schools. Those are delegated dorectly to the +// 5LD operators. +pvt.k12.ma.us +chtr.k12.ma.us +paroch.k12.ma.us + +// uy : http://www.nic.org.uy/ +uy +com.uy +edu.uy +gub.uy +mil.uy +net.uy +org.uy + +// uz : http://www.reg.uz/ +uz +co.uz +com.uz +net.uz +org.uz + +// va : http://en.wikipedia.org/wiki/.va +va + +// vc : http://en.wikipedia.org/wiki/.vc +// Submitted by registry 2008-06-13 +vc +com.vc +net.vc +org.vc +gov.vc +mil.vc +edu.vc + +// ve : https://registro.nic.ve/ +// Confirmed by registry 2012-10-04 +// Updated 2014-05-20 - Bug 940478 +ve +arts.ve +co.ve +com.ve +e12.ve +edu.ve +firm.ve +gob.ve +gov.ve +info.ve +int.ve +mil.ve +net.ve +org.ve +rec.ve +store.ve +tec.ve +web.ve + +// vg : http://en.wikipedia.org/wiki/.vg +vg + +// vi : http://www.nic.vi/newdomainform.htm +// http://www.nic.vi/Domain_Rules/body_domain_rules.html indicates some other +// TLDs are "reserved", such as edu.vi and gov.vi, but doesn't actually say they +// are available for registration (which they do not seem to be). +vi +co.vi +com.vi +k12.vi +net.vi +org.vi + +// vn : https://www.dot.vn/vnnic/vnnic/domainregistration.jsp +vn +com.vn +net.vn +org.vn +edu.vn +gov.vn +int.vn +ac.vn +biz.vn +info.vn +name.vn +pro.vn +health.vn + +// vu : http://en.wikipedia.org/wiki/.vu +// http://www.vunic.vu/ +vu +com.vu +edu.vu +net.vu +org.vu + +// wf : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +wf + +// ws : http://en.wikipedia.org/wiki/.ws +// http://samoanic.ws/index.dhtml +ws +com.ws +net.ws +org.ws +gov.ws +edu.ws + +// yt : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +yt + +// IDN ccTLDs +// Please sort by ISO 3166 ccTLD, then punicode string +// when submitting patches and follow this format: +// ("" ) : +// [optional sponsoring org] +// + +// xn--mgbaam7a8h ("Emerat" Arabic) : AE +// http://nic.ae/english/arabicdomain/rules.jsp +امارات + +// xn--54b7fta0cc ("Bangla" Bangla) : BD +বাংলা + +// xn--fiqs8s ("China" Chinese-Han-Simplified <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中国 + +// xn--fiqz9s ("China" Chinese-Han-Traditional <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中國 + +// xn--lgbbat1ad8j ("Algeria / Al Jazair" Arabic) : DZ +الجزائر + +// xn--wgbh1c ("Egypt" Arabic .masr) : EG +// http://www.dotmasr.eg/ +مصر + +// xn--node ("ge" Georgian (Mkhedruli)) : GE +გე + +// xn--j6w193g ("Hong Kong" Chinese-Han) : HK +// https://www2.hkirc.hk/register/rules.jsp +香港 + +// xn--h2brj9c ("Bharat" Devanagari) : IN +// India +भारत + +// xn--mgbbh1a71e ("Bharat" Arabic) : IN +// India +بھارت + +// xn--fpcrj9c3d ("Bharat" Telugu) : IN +// India +భారత్ + +// xn--gecrj9c ("Bharat" Gujarati) : IN +// India +ભારત + +// xn--s9brj9c ("Bharat" Gurmukhi) : IN +// India +ਭਾਰਤ + +// xn--45brj9c ("Bharat" Bengali) : IN +// India +ভারত + +// xn--xkc2dl3a5ee0h ("India" Tamil) : IN +// India +இந்தியா + +// xn--mgba3a4f16a ("Iran" Persian) : IR +ایران + +// xn--mgba3a4fra ("Iran" Arabic) : IR +ايران + +// xn--mgbayh7gpa ("al-Ordon" Arabic) : JO +// National Information Technology Center (NITC) +// Royal Scientific Society, Al-Jubeiha +الاردن + +// xn--3e0b707e ("Republic of Korea" Hangul) : KR +한국 + +// xn--80ao21a ("Kaz" Kazakh) : KZ +қаз + +// xn--fzc2c9e2c ("Lanka" Sinhalese-Sinhala) : LK +// http://nic.lk +ලංකා + +// xn--xkc2al3hye2a ("Ilangai" Tamil) : LK +// http://nic.lk +இலங்கை + +// xn--mgbc0a9azcg ("Morocco / al-Maghrib" Arabic) : MA +المغرب + +// xn--l1acc ("mon" Mongolian) : MN +мон + +// xn--mgbx4cd0ab ("Malaysia" Malay) : MY +مليسيا + +// xn--mgb9awbf ("Oman" Arabic) : OM +عمان + +// xn--ygbi2ammx ("Falasteen" Arabic) : PS +// The Palestinian National Internet Naming Authority (PNINA) +// http://www.pnina.ps +فلسطين + +// xn--90a3ac ("srb" Cyrillic) : RS +// http://www.rnids.rs/en/the-.срб-domain +срб +пр.срб +орг.срб +обр.срб +од.срб +упр.срб +ак.срб + +// xn--p1ai ("rf" Russian-Cyrillic) : RU +// http://www.cctld.ru/en/docs/rulesrf.php +рф + +// xn--wgbl6a ("Qatar" Arabic) : QA +// http://www.ict.gov.qa/ +قطر + +// xn--mgberp4a5d4ar ("AlSaudiah" Arabic) : SA +// http://www.nic.net.sa/ +السعودية + +// xn--mgberp4a5d4a87g ("AlSaudiah" Arabic) variant : SA +السعودیة + +// xn--mgbqly7c0a67fbc ("AlSaudiah" Arabic) variant : SA +السعودیۃ + +// xn--mgbqly7cvafr ("AlSaudiah" Arabic) variant : SA +السعوديه + +// xn--ogbpf8fl ("Syria" Arabic) : SY +سورية + +// xn--mgbtf8fl ("Syria" Arabic) variant : SY +سوريا + +// xn--yfro4i67o Singapore ("Singapore" Chinese-Han) : SG +新加坡 + +// xn--clchc0ea0b2g2a9gcd ("Singapore" Tamil) : SG +சிங்கப்பூர் + +// xn--o3cw4h ("Thai" Thai) : TH +// http://www.thnic.co.th +ไทย + +// xn--pgbs0dh ("Tunis") : TN +// http://nic.tn +تونس + +// xn--kpry57d ("Taiwan" Chinese-Han-Traditional) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台灣 + +// xn--kprw13d ("Taiwan" Chinese-Han-Simplified) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台湾 + +// xn--nnx388a ("Taiwan") variant : TW +臺灣 + +// xn--j1amh ("ukr" Cyrillic) : UA +укр + +// xn--mgb2ddes ("AlYemen" Arabic) : YE +اليمن + +// xxx : http://icmregistry.com +xxx + +// ye : http://www.y.net.ye/services/domain_name.htm +*.ye + +// za : http://www.zadna.org.za/slds.html +*.za + +// zm : http://en.wikipedia.org/wiki/.zm +*.zm + +// zw : http://en.wikipedia.org/wiki/.zw +*.zw + + +// List of new gTLDs imported from https://newgtlds.icann.org/newgtlds.csv on 2015-01-27T00:02:07Z + +// abb : 2014-10-24 ABB Ltd +abb + +// abbott : 2014-07-24 Abbott Laboratories, Inc. +abbott + +// abogado : 2014-04-24 Top Level Domain Holdings Limited +abogado + +// academy : 2013-11-07 Half Oaks, LLC +academy + +// accenture : 2014-08-15 Accenture plc +accenture + +// accountant : 2014-11-20 dot Accountant Limited +accountant + +// accountants : 2014-03-20 Knob Town, LLC +accountants + +// aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG +aco + +// active : 2014-05-01 The Active Network, Inc +active + +// actor : 2013-12-12 United TLD Holdco Ltd. +actor + +// ads : 2014-12-04 Charleston Road Registry Inc. +ads + +// adult : 2014-10-16 ICM Registry AD LLC +adult + +// afl : 2014-10-02 Australian Football League +afl + +// africa : 2014-03-24 ZA Central Registry NPC trading as Registry.Africa +africa + +// agency : 2013-11-14 Steel Falls, LLC +agency + +// aig : 2014-12-18 American International Group, Inc. +aig + +// airforce : 2014-03-06 United TLD Holdco Ltd. +airforce + +// airtel : 2014-10-24 Bharti Airtel Limited +airtel + +// alibaba : 2015-01-15 Alibaba Group Holding Limited +alibaba + +// alipay : 2015-01-15 Alibaba Group Holding Limited +alipay + +// allfinanz : 2014-07-03 Allfinanz Deutsche Vermögensberatung Aktiengesellschaft +allfinanz + +// alsace : 2014-07-02 REGION D ALSACE +alsace + +// amsterdam : 2014-07-24 Gemeente Amsterdam +amsterdam + +// analytics : 2014-12-18 Campus IP LLC +analytics + +// android : 2014-08-07 Charleston Road Registry Inc. +android + +// anquan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +anquan + +// apartments : 2014-12-11 June Maple, LLC +apartments + +// aquarelle : 2014-07-24 Aquarelle.com +aquarelle + +// aramco : 2014-11-20 Aramco Services Company +aramco + +// archi : 2014-02-06 STARTING DOT LIMITED +archi + +// army : 2014-03-06 United TLD Holdco Ltd. +army + +// arte : 2014-12-11 Association Relative à la Télévision Européenne G.E.I.E. +arte + +// associates : 2014-03-06 Baxter Hill, LLC +associates + +// attorney : 2014-03-20 +attorney + +// auction : 2014-03-20 +auction + +// audio : 2014-03-20 Uniregistry, Corp. +audio + +// author : 2014-12-18 Amazon EU S.à r.l. +author + +// auto : 2014-11-13 Uniregistry, Corp. +auto + +// autos : 2014-01-09 DERAutos, LLC +autos + +// avianca : 2015-01-08 Aerovias del Continente Americano S.A. Avianca +avianca + +// axa : 2013-12-19 AXA SA +axa + +// azure : 2014-12-18 Microsoft Corporation +azure + +// baidu : 2015-01-08 Baidu, Inc. +baidu + +// band : 2014-06-12 +band + +// bank : 2014-09-25 fTLD Registry Services LLC +bank + +// bar : 2013-12-12 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +bar + +// barcelona : 2014-07-24 Municipi de Barcelona +barcelona + +// barclaycard : 2014-11-20 Barclays Bank PLC +barclaycard + +// barclays : 2014-11-20 Barclays Bank PLC +barclays + +// bargains : 2013-11-14 Half Hallow, LLC +bargains + +// bauhaus : 2014-04-17 Werkhaus GmbH +bauhaus + +// bayern : 2014-01-23 Bayern Connect GmbH +bayern + +// bbc : 2014-12-18 British Broadcasting Corporation +bbc + +// bbva : 2014-10-02 BANCO BILBAO VIZCAYA ARGENTARIA, S.A. +bbva + +// bcn : 2014-07-24 Municipi de Barcelona +bcn + +// beer : 2014-01-09 Top Level Domain Holdings Limited +beer + +// bentley : 2014-12-18 Bentley Motors Limited +bentley + +// berlin : 2013-10-31 dotBERLIN GmbH & Co. KG +berlin + +// best : 2013-12-19 BestTLD Pty Ltd +best + +// bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited +bharti + +// bible : 2014-06-19 American Bible Society +bible + +// bid : 2013-12-19 dot Bid Limited +bid + +// bike : 2013-08-27 Grand Hollow, LLC +bike + +// bing : 2014-12-18 Microsoft Corporation +bing + +// bingo : 2014-12-04 Sand Cedar, LLC +bingo + +// bio : 2014-03-06 STARTING DOT LIMITED +bio + +// black : 2014-01-16 Afilias Limited +black + +// blackfriday : 2014-01-16 Uniregistry, Corp. +blackfriday + +// bloomberg : 2014-07-17 Bloomberg IP Holdings LLC +bloomberg + +// blue : 2013-11-07 Afilias Limited +blue + +// bms : 2014-10-30 Bristol-Myers Squibb Company +bms + +// bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +bmw + +// bnl : 2014-07-24 Banca Nazionale del Lavoro +bnl + +// bnpparibas : 2014-05-29 BNP Paribas +bnpparibas + +// boats : 2014-12-04 DERBoats, LLC +boats + +// bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +bom + +// bond : 2014-06-05 Bond University Limited +bond + +// boo : 2014-01-30 Charleston Road Registry Inc. +boo + +// boots : 2015-01-08 THE BOOTS COMPANY PLC +boots + +// bot : 2014-12-18 Amazon EU S.à r.l. +bot + +// boutique : 2013-11-14 Over Galley, LLC +boutique + +// bradesco : 2014-12-18 Banco Bradesco S.A. +bradesco + +// bridgestone : 2014-12-18 Bridgestone Corporation +bridgestone + +// broadway : 2014-12-22 Celebrate Broadway, Inc. +broadway + +// broker : 2014-12-11 IG Group Holdings PLC +broker + +// brussels : 2014-02-06 DNS.be vzw +brussels + +// budapest : 2013-11-21 Top Level Domain Holdings Limited +budapest + +// build : 2013-11-07 Plan Bee LLC +build + +// builders : 2013-11-07 Atomic Madison, LLC +builders + +// business : 2013-11-07 Spring Cross, LLC +business + +// buy : 2014-12-18 Amazon EU S.à r.l. +buy + +// buzz : 2013-10-02 DOTSTRATEGY CO. +buzz + +// bzh : 2014-02-27 Association www.bzh +bzh + +// cab : 2013-10-24 Half Sunset, LLC +cab + +// cal : 2014-07-24 Charleston Road Registry Inc. +cal + +// call : 2014-12-18 Amazon EU S.à r.l. +call + +// camera : 2013-08-27 Atomic Maple, LLC +camera + +// camp : 2013-11-07 Delta Dynamite, LLC +camp + +// cancerresearch : 2014-05-15 Australian Cancer Research Foundation +cancerresearch + +// canon : 2014-09-12 Canon Inc. +canon + +// capetown : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +capetown + +// capital : 2014-03-06 Delta Mill, LLC +capital + +// car : 2015-01-22 Charleston Road Registry Inc. +car + +// caravan : 2013-12-12 Caravan International, Inc. +caravan + +// cards : 2013-12-05 Foggy Hollow, LLC +cards + +// care : 2014-03-06 Goose Cross +care + +// career : 2013-10-09 dotCareer LLC +career + +// careers : 2013-10-02 Wild Corner, LLC +careers + +// cars : 2014-11-13 Uniregistry, Corp. +cars + +// cartier : 2014-06-23 Richemont DNS Inc. +cartier + +// casa : 2013-11-21 Top Level Domain Holdings Limited +casa + +// cash : 2014-03-06 Delta Lake, LLC +cash + +// casino : 2014-12-18 Binky Sky, LLC +casino + +// catering : 2013-12-05 New Falls. LLC +catering + +// cba : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +cba + +// cbn : 2014-08-22 The Christian Broadcasting Network, Inc. +cbn + +// center : 2013-11-07 Tin Mill, LLC +center + +// ceo : 2013-11-07 CEOTLD Pty Ltd +ceo + +// cern : 2014-06-05 European Organization for Nuclear Research (\ +cern + +// cfa : 2014-08-28 CFA Institute +cfa + +// cfd : 2014-12-11 IG Group Holdings PLC +cfd + +// channel : 2014-05-08 Charleston Road Registry Inc. +channel + +// chat : 2014-12-04 Sand Fields, LLC +chat + +// cheap : 2013-11-14 Sand Cover, LLC +cheap + +// chloe : 2014-10-16 Richemont DNS Inc. +chloe + +// christmas : 2013-11-21 Uniregistry, Corp. +christmas + +// chrome : 2014-07-24 Charleston Road Registry Inc. +chrome + +// church : 2014-02-06 Holly Fileds, LLC +church + +// circle : 2014-12-18 Amazon EU S.à r.l. +circle + +// cisco : 2014-12-22 Cisco Technology, Inc. +cisco + +// citic : 2014-01-09 CITIC Group Corporation +citic + +// city : 2014-05-29 Snow Sky, LLC +city + +// cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc. +cityeats + +// claims : 2014-03-20 Black Corner, LLC +claims + +// cleaning : 2013-12-05 Fox Shadow, LLC +cleaning + +// click : 2014-06-05 Uniregistry, Corp. +click + +// clinic : 2014-03-20 Goose Park, LLC +clinic + +// clothing : 2013-08-27 Steel Lake, LLC +clothing + +// club : 2013-11-08 .CLUB DOMAINS, LLC +club + +// coach : 2014-10-09 Koko Island, LLC +coach + +// codes : 2013-10-31 Puff Willow, LLC +codes + +// coffee : 2013-10-17 Trixy Cover, LLC +coffee + +// college : 2014-01-16 XYZ.COM LLC +college + +// cologne : 2014-02-05 NetCologne Gesellschaft für Telekommunikation mbH +cologne + +// commbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +commbank + +// community : 2013-12-05 Fox Orchard, LLC +community + +// company : 2013-11-07 Silver Avenue, LLC +company + +// computer : 2013-10-24 Pine Mill, LLC +computer + +// comsec : 2015-01-08 VeriSign, Inc. +comsec + +// condos : 2013-12-05 Pine House, LLC +condos + +// construction : 2013-09-16 Fox Dynamite, LLC +construction + +// consulting : 2013-12-05 +consulting + +// contact : 2015-01-08 Top Level Spectrum, Inc. +contact + +// contractors : 2013-09-10 Magic Woods, LLC +contractors + +// cooking : 2013-11-21 Top Level Domain Holdings Limited +cooking + +// cool : 2013-11-14 Koko Lake, LLC +cool + +// corsica : 2014-09-25 Collectivité Territoriale de Corse +corsica + +// country : 2013-12-19 Top Level Domain Holdings Limited +country + +// courses : 2014-12-04 OPEN UNIVERSITIES AUSTRALIA PTY LTD +courses + +// credit : 2014-03-20 Snow Shadow, LLC +credit + +// creditcard : 2014-03-20 Binky Frostbite, LLC +creditcard + +// creditunion : 2015-01-22 CUNA Performance Resources, LLC +creditunion + +// cricket : 2014-10-09 dot Cricket Limited +cricket + +// crown : 2014-10-24 Crown Equipment Corporation +crown + +// crs : 2014-04-03 Federated Co-operatives Limited +crs + +// cruises : 2013-12-05 Spring Way, LLC +cruises + +// csc : 2014-09-25 Alliance-One Services, Inc. +csc + +// cuisinella : 2014-04-03 SALM S.A.S. +cuisinella + +// cymru : 2014-05-08 Nominet UK +cymru + +// cyou : 2015-01-22 Beijing Gamease Age Digital Technology Co., Ltd. +cyou + +// dabur : 2014-02-06 Dabur India Limited +dabur + +// dad : 2014-01-23 Charleston Road Registry Inc. +dad + +// dance : 2013-10-24 United TLD Holdco Ltd. +dance + +// date : 2014-11-20 dot Date Limited +date + +// dating : 2013-12-05 Pine Fest, LLC +dating + +// datsun : 2014-03-27 NISSAN MOTOR CO., LTD. +datsun + +// day : 2014-01-30 Charleston Road Registry Inc. +day + +// dclk : 2014-11-20 Charleston Road Registry Inc. +dclk + +// dealer : 2014-12-22 Dealer Dot Com, Inc. +dealer + +// deals : 2014-05-22 Sand Sunset, LLC +deals + +// degree : 2014-03-06 +degree + +// delivery : 2014-09-11 Steel Station, LLC +delivery + +// dell : 2014-10-24 Dell Inc. +dell + +// democrat : 2013-10-24 United TLD Holdco Ltd. +democrat + +// dental : 2014-03-20 Tin Birch, LLC +dental + +// dentist : 2014-03-20 +dentist + +// desi : 2013-11-14 Desi Networks LLC +desi + +// design : 2014-11-07 Top Level Design, LLC +design + +// dev : 2014-10-16 Charleston Road Registry Inc. +dev + +// diamonds : 2013-09-22 John Edge, LLC +diamonds + +// diet : 2014-06-26 Uniregistry, Corp. +diet + +// digital : 2014-03-06 Dash Park, LLC +digital + +// direct : 2014-04-10 Half Trail, LLC +direct + +// directory : 2013-09-20 Extra Madison, LLC +directory + +// discount : 2014-03-06 Holly Hill, LLC +discount + +// dnp : 2013-12-13 Dai Nippon Printing Co., Ltd. +dnp + +// docs : 2014-10-16 Charleston Road Registry Inc. +docs + +// dog : 2014-12-04 Koko Mill, LLC +dog + +// doha : 2014-09-18 Communications Regulatory Authority (CRA) +doha + +// domains : 2013-10-17 Sugar Cross, LLC +domains + +// doosan : 2014-04-03 Doosan Corporation +doosan + +// download : 2014-11-20 dot Support Limited +download + +// dubai : 2015-01-01 Dubai Smart Government Department +dubai + +// durban : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +durban + +// dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +dvag + +// earth : 2014-12-04 Interlink Co., Ltd. +earth + +// eat : 2014-01-23 Charleston Road Registry Inc. +eat + +// edeka : 2014-12-18 EDEKA Verband kaufmännischer Genossenschaften e.V. +edeka + +// education : 2013-11-07 Brice Way, LLC +education + +// email : 2013-10-31 Spring Madison, LLC +email + +// emerck : 2014-04-03 Merck KGaA +emerck + +// energy : 2014-09-11 Binky Birch, LLC +energy + +// engineer : 2014-03-06 United TLD Holdco Ltd. +engineer + +// engineering : 2014-03-06 Romeo Canyon +engineering + +// enterprises : 2013-09-20 Snow Oaks, LLC +enterprises + +// epson : 2014-12-04 Seiko Epson Corporation +epson + +// equipment : 2013-08-27 Corn Station, LLC +equipment + +// erni : 2014-04-03 ERNI Group Holding AG +erni + +// esq : 2014-05-08 Charleston Road Registry Inc. +esq + +// estate : 2013-08-27 Trixy Park, LLC +estate + +// eurovision : 2014-04-24 European Broadcasting Union (EBU) +eurovision + +// eus : 2013-12-12 Puntueus Fundazioa +eus + +// events : 2013-12-05 Pioneer Maple, LLC +events + +// everbank : 2014-05-15 EverBank +everbank + +// exchange : 2014-03-06 Spring Falls, LLC +exchange + +// expert : 2013-11-21 Magic Pass, LLC +expert + +// exposed : 2013-12-05 Victor Beach, LLC +exposed + +// fage : 2014-12-18 Fage International S.A. +fage + +// fail : 2014-03-06 Atomic Pipe, LLC +fail + +// fairwinds : 2014-11-13 FairWinds Partners, LLC +fairwinds + +// faith : 2014-11-20 dot Faith Limited +faith + +// fan : 2014-03-06 +fan + +// fans : 2014-11-07 Asiamix Digital Limited +fans + +// farm : 2013-11-07 Just Maple, LLC +farm + +// fashion : 2014-07-03 Top Level Domain Holdings Limited +fashion + +// fast : 2014-12-18 Amazon EU S.à r.l. +fast + +// feedback : 2013-12-19 Top Level Spectrum, Inc. +feedback + +// ferrero : 2014-12-18 Ferrero Trading Lux S.A. +ferrero + +// film : 2015-01-08 Motion Picture Domain Registry Pty Ltd +film + +// final : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +final + +// finance : 2014-03-20 Cotton Cypress, LLC +finance + +// financial : 2014-03-06 Just Cover, LLC +financial + +// firestone : 2014-12-18 Bridgestone Corporation +firestone + +// firmdale : 2014-03-27 Firmdale Holdings Limited +firmdale + +// fish : 2013-12-12 Fox Woods, LLC +fish + +// fishing : 2013-11-21 Top Level Domain Holdings Limited +fishing + +// fit : 2014-11-07 Top Level Domain Holdings Limited +fit + +// fitness : 2014-03-06 Brice Orchard, LLC +fitness + +// flights : 2013-12-05 Fox Station, LLC +flights + +// florist : 2013-11-07 Half Cypress, LLC +florist + +// flowers : 2014-10-09 Uniregistry, Corp. +flowers + +// flsmidth : 2014-07-24 FLSmidth A/S +flsmidth + +// fly : 2014-05-08 Charleston Road Registry Inc. +fly + +// foo : 2014-01-23 Charleston Road Registry Inc. +foo + +// football : 2014-12-18 Foggy Farms, LLC +football + +// ford : 2014-11-13 Ford Motor Company +ford + +// forex : 2014-12-11 IG Group Holdings PLC +forex + +// forsale : 2014-05-22 +forsale + +// foundation : 2013-12-05 John Dale, LLC +foundation + +// frl : 2014-05-15 FRLregistry B.V. +frl + +// frogans : 2013-12-19 OP3FT +frogans + +// fund : 2014-03-20 John Castle, LLC +fund + +// furniture : 2014-03-20 Lone Fields, LLC +furniture + +// futbol : 2013-09-20 +futbol + +// gal : 2013-11-07 Asociación puntoGAL +gal + +// gallery : 2013-09-13 Sugar House, LLC +gallery + +// garden : 2014-06-26 Top Level Domain Holdings Limited +garden + +// gbiz : 2014-07-17 Charleston Road Registry Inc. +gbiz + +// gdn : 2014-07-31 Joint Stock Company \ +gdn + +// gea : 2014-12-04 GEA Group Aktiengesellschaft +gea + +// gent : 2014-01-23 COMBELL GROUP NV/SA +gent + +// ggee : 2014-01-09 GMO Internet, Inc. +ggee + +// gift : 2013-10-17 Uniregistry, Corp. +gift + +// gifts : 2014-07-03 Goose Sky, LLC +gifts + +// gives : 2014-03-06 United TLD Holdco Ltd. +gives + +// giving : 2014-11-13 Giving Limited +giving + +// glass : 2013-11-07 Black Cover, LLC +glass + +// gle : 2014-07-24 Charleston Road Registry Inc. +gle + +// global : 2014-04-17 Dot GLOBAL AS +global + +// globo : 2013-12-19 Globo Comunicação e Participações S.A +globo + +// gmail : 2014-05-01 Charleston Road Registry Inc. +gmail + +// gmo : 2014-01-09 GMO Internet, Inc. +gmo + +// gmx : 2014-04-24 1&1 Mail & Media GmbH +gmx + +// gold : 2015-01-22 June Edge, LLC +gold + +// goldpoint : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +goldpoint + +// golf : 2014-12-18 Lone falls, LLC +golf + +// goo : 2014-12-18 NTT Resonant Inc. +goo + +// goog : 2014-11-20 Charleston Road Registry Inc. +goog + +// google : 2014-07-24 Charleston Road Registry Inc. +google + +// gop : 2014-01-16 Republican State Leadership Committee, Inc. +gop + +// got : 2014-12-18 Amazon EU S.à r.l. +got + +// graphics : 2013-09-13 Over Madison, LLC +graphics + +// gratis : 2014-03-20 Pioneer Tigers, LLC +gratis + +// green : 2014-05-08 Afilias Limited +green + +// gripe : 2014-03-06 Corn Sunset, LLC +gripe + +// group : 2014-08-15 Romeo Town, LLC +group + +// gucci : 2014-11-13 Guccio Gucci S.p.a. +gucci + +// guge : 2014-08-28 Charleston Road Registry Inc. +guge + +// guide : 2013-09-13 Snow Moon, LLC +guide + +// guitars : 2013-11-14 Uniregistry, Corp. +guitars + +// guru : 2013-08-27 Pioneer Cypress, LLC +guru + +// hamburg : 2014-02-20 Hamburg Top-Level-Domain GmbH +hamburg + +// hangout : 2014-11-13 Charleston Road Registry Inc. +hangout + +// haus : 2013-12-05 +haus + +// healthcare : 2014-06-12 Silver Glen, LLC +healthcare + +// help : 2014-06-26 Uniregistry, Corp. +help + +// here : 2014-02-06 Charleston Road Registry Inc. +here + +// hermes : 2014-07-10 HERMES INTERNATIONAL +hermes + +// hiphop : 2014-03-06 Uniregistry, Corp. +hiphop + +// hitachi : 2014-10-31 Hitachi, Ltd. +hitachi + +// hiv : 2014-03-13 dotHIV gemeinnuetziger e.V. +hiv + +// holdings : 2013-08-27 John Madison, LLC +holdings + +// holiday : 2013-11-07 Goose Woods, LLC +holiday + +// homes : 2014-01-09 DERHomes, LLC +homes + +// honda : 2014-12-18 Honda Motor Co., Ltd. +honda + +// horse : 2013-11-21 Top Level Domain Holdings Limited +horse + +// host : 2014-04-17 DotHost Inc. +host + +// hosting : 2014-05-29 Uniregistry, Corp. +hosting + +// hotmail : 2014-12-18 Microsoft Corporation +hotmail + +// house : 2013-11-07 Sugar Park, LLC +house + +// how : 2014-01-23 Charleston Road Registry Inc. +how + +// hsbc : 2014-10-24 HSBC Holdings PLC +hsbc + +// ibm : 2014-07-31 International Business Machines Corporation +ibm + +// ice : 2014-10-30 IntercontinentalExchange, Inc. +ice + +// icu : 2015-01-08 One.com A/S +icu + +// ifm : 2014-01-30 ifm electronic gmbh +ifm + +// iinet : 2014-07-03 Connect West Pty. Ltd. +iinet + +// immo : 2014-07-10 Auburn Bloom, LLC +immo + +// immobilien : 2013-11-07 United TLD Holdco Ltd. +immobilien + +// industries : 2013-12-05 Outer House, LLC +industries + +// infiniti : 2014-03-27 NISSAN MOTOR CO., LTD. +infiniti + +// ing : 2014-01-23 Charleston Road Registry Inc. +ing + +// ink : 2013-12-05 Top Level Design, LLC +ink + +// institute : 2013-11-07 Outer Maple, LLC +institute + +// insure : 2014-03-20 Pioneer Willow, LLC +insure + +// international : 2013-11-07 Wild Way, LLC +international + +// investments : 2014-03-20 Holly Glen, LLC +investments + +// ipiranga : 2014-08-28 Ipiranga Produtos de Petroleo S.A. +ipiranga + +// irish : 2014-08-07 Dot-Irish LLC +irish + +// ist : 2014-08-28 Istanbul Metropolitan Municipality +ist + +// istanbul : 2014-08-28 Istanbul Metropolitan Municipality +istanbul + +// itau : 2014-10-02 Itau Unibanco Holding S.A. +itau + +// iwc : 2014-06-23 Richemont DNS Inc. +iwc + +// jaguar : 2014-11-13 Jaguar Land Rover Ltd +jaguar + +// java : 2014-06-19 Oracle Corporation +java + +// jcb : 2014-11-20 JCB Co., Ltd. +jcb + +// jetzt : 2014-01-09 New TLD Company AB +jetzt + +// jlc : 2014-12-04 Richemont DNS Inc. +jlc + +// joburg : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +joburg + +// jot : 2014-12-18 Amazon EU S.à r.l. +jot + +// joy : 2014-12-18 Amazon EU S.à r.l. +joy + +// jprs : 2014-09-18 Japan Registry Services Co., Ltd. +jprs + +// juegos : 2014-03-20 Uniregistry, Corp. +juegos + +// kaufen : 2013-11-07 United TLD Holdco Ltd. +kaufen + +// kddi : 2014-09-12 KDDI CORPORATION +kddi + +// kfh : 2014-12-04 Kuwait Finance House +kfh + +// kim : 2013-09-23 Afilias Limited +kim + +// kinder : 2014-11-07 Ferrero Trading Lux S.A. +kinder + +// kitchen : 2013-09-20 Just Goodbye, LLC +kitchen + +// kiwi : 2013-09-20 DOT KIWI LIMITED +kiwi + +// koeln : 2014-01-09 NetCologne Gesellschaft für Telekommunikation mbH +koeln + +// komatsu : 2015-01-08 Komatsu Ltd. +komatsu + +// kpn : 2015-01-08 Koninklijke KPN N.V. +kpn + +// krd : 2013-12-05 KRG Department of Information Technology +krd + +// kred : 2013-12-19 KredTLD Pty Ltd +kred + +// kyoto : 2014-11-07 Academic Institution: Kyoto Jyoho Gakuen +kyoto + +// lacaixa : 2014-01-09 CAIXA D'ESTALVIS I PENSIONS DE BARCELONA +lacaixa + +// land : 2013-09-10 Pine Moon, LLC +land + +// landrover : 2014-11-13 Jaguar Land Rover Ltd +landrover + +// lat : 2014-10-16 ECOM-LAC Federaciòn de Latinoamèrica y el Caribe para Internet y el Comercio Electrònico +lat + +// latrobe : 2014-06-16 La Trobe University +latrobe + +// law : 2015-01-22 Minds + Machines Group Limited +law + +// lawyer : 2014-03-20 +lawyer + +// lds : 2014-03-20 IRI Domain Management, LLC (\ +lds + +// lease : 2014-03-06 Victor Trail, LLC +lease + +// leclerc : 2014-08-07 A.C.D. LEC Association des Centres Distributeurs Edouard Leclerc +leclerc + +// legal : 2014-10-16 Blue Falls, LLC +legal + +// lgbt : 2014-05-08 Afilias Limited +lgbt + +// liaison : 2014-10-02 Liaison Technologies, Incorporated +liaison + +// lidl : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +lidl + +// life : 2014-02-06 Trixy Oaks, LLC +life + +// lifeinsurance : 2015-01-15 American Council of Life Insurers +lifeinsurance + +// lifestyle : 2014-12-11 Lifestyle Domain Holdings, Inc. +lifestyle + +// lighting : 2013-08-27 John McCook, LLC +lighting + +// like : 2014-12-18 Amazon EU S.à r.l. +like + +// limited : 2014-03-06 Big Fest, LLC +limited + +// limo : 2013-10-17 Hidden Frostbite, LLC +limo + +// lincoln : 2014-11-13 Ford Motor Company +lincoln + +// linde : 2014-12-04 Linde Aktiengesellschaft +linde + +// link : 2013-11-14 Uniregistry, Corp. +link + +// live : 2014-12-04 Half Woods, LLC +live + +// loan : 2014-11-20 dot Loan Limited +loan + +// loans : 2014-03-20 June Woods, LLC +loans + +// london : 2013-11-14 Dot London Domains Limited +london + +// lotte : 2014-11-07 Lotte Holdings Co., Ltd. +lotte + +// lotto : 2014-04-10 Afilias Limited +lotto + +// love : 2014-12-22 Merchant Law Group LLP +love + +// ltd : 2014-09-25 Over Corner, LLC +ltd + +// ltda : 2014-04-17 DOMAIN ROBOT SERVICOS DE HOSPEDAGEM NA INTERNET LTDA +ltda + +// lupin : 2014-11-07 LUPIN LIMITED +lupin + +// luxe : 2014-01-09 Top Level Domain Holdings Limited +luxe + +// luxury : 2013-10-17 Luxury Partners, LLC +luxury + +// madrid : 2014-05-01 Comunidad de Madrid +madrid + +// maif : 2014-10-02 Mutuelle Assurance Instituteur France (MAIF) +maif + +// maison : 2013-12-05 Victor Frostbite, LLC +maison + +// makeup : 2015-01-15 L'Oréal +makeup + +// man : 2014-12-04 MAN SE +man + +// management : 2013-11-07 John Goodbye, LLC +management + +// mango : 2013-10-24 PUNTO FA S.L. +mango + +// market : 2014-03-06 +market + +// marketing : 2013-11-07 Fern Pass, LLC +marketing + +// markets : 2014-12-11 IG Group Holdings PLC +markets + +// marriott : 2014-10-09 Marriott Worldwide Corporation +marriott + +// media : 2014-03-06 Grand Glen, LLC +media + +// meet : 2014-01-16 Afilias Limited +meet + +// melbourne : 2014-05-29 The Crown in right of the State of Victoria, represented by its Department of State Development, Business and Innovation +melbourne + +// meme : 2014-01-30 Charleston Road Registry Inc. +meme + +// memorial : 2014-10-16 Dog Beach, LLC +memorial + +// menu : 2013-09-11 Wedding TLD2, LLC +menu + +// meo : 2014-11-07 PT Comunicacoes S.A. +meo + +// miami : 2013-12-19 Top Level Domain Holdings Limited +miami + +// microsoft : 2014-12-18 Microsoft Corporation +microsoft + +// mini : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +mini + +// mma : 2014-11-07 MMA IARD +mma + +// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L. +mobily + +// moda : 2013-11-07 United TLD Holdco Ltd. +moda + +// moe : 2013-11-13 Interlink Co., Ltd. +moe + +// moi : 2014-12-18 Amazon EU S.à r.l. +moi + +// monash : 2013-09-30 Monash University +monash + +// money : 2014-10-16 Outer McCook, LLC +money + +// montblanc : 2014-06-23 Richemont DNS Inc. +montblanc + +// mormon : 2013-12-05 IRI Domain Management, LLC (\ +mormon + +// mortgage : 2014-03-20 +mortgage + +// moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +moscow + +// motorcycles : 2014-01-09 DERMotorcycles, LLC +motorcycles + +// mov : 2014-01-30 Charleston Road Registry Inc. +mov + +// movistar : 2014-10-16 Telefónica S.A. +movistar + +// mtn : 2014-12-04 MTN Dubai Limited +mtn + +// mtpc : 2014-11-20 Mitsubishi Tanabe Pharma Corporation +mtpc + +// nadex : 2014-12-11 IG Group Holdings PLC +nadex + +// nagoya : 2013-10-24 GMO Registry, Inc. +nagoya + +// navy : 2014-03-06 United TLD Holdco Ltd. +navy + +// nec : 2015-01-08 NEC Corporation +nec + +// netbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +netbank + +// network : 2013-11-14 Trixy Manor, LLC +network + +// neustar : 2013-12-05 NeuStar, Inc. +neustar + +// new : 2014-01-30 Charleston Road Registry Inc. +new + +// news : 2014-12-18 Hidden Bloom, LLC +news + +// nexus : 2014-07-24 Charleston Road Registry Inc. +nexus + +// ngo : 2014-03-06 Public Interest Registry +ngo + +// nhk : 2014-02-13 Japan Broadcasting Corporation (NHK) +nhk + +// nico : 2014-12-04 DWANGO Co., Ltd. +nico + +// ninja : 2013-11-07 United TLD Holdco Ltd. +ninja + +// nissan : 2014-03-27 NISSAN MOTOR CO., LTD. +nissan + +// nokia : 2015-01-08 Nokia Corporation +nokia + +// norton : 2014-12-04 Symantec Corporation +norton + +// nowruz : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +nowruz + +// nra : 2014-05-22 NRA Holdings Company, INC. +nra + +// nrw : 2013-11-21 Minds + Machines GmbH +nrw + +// ntt : 2014-10-31 NIPPON TELEGRAPH AND TELEPHONE CORPORATION +ntt + +// nyc : 2014-01-23 The City of New York by and through the New York City Department of Information Technology & Telecommunications +nyc + +// obi : 2014-09-25 OBI Group Holding SE & Co. KGaA +obi + +// okinawa : 2013-12-05 BusinessRalliart Inc. +okinawa + +// omega : 2015-01-08 The Swatch Group Ltd +omega + +// one : 2014-11-07 One.com A/S +one + +// ong : 2014-03-06 Public Interest Registry +ong + +// onl : 2013-09-16 I-Registry Ltd. +onl + +// online : 2015-01-15 DotOnline Inc. +online + +// ooo : 2014-01-09 INFIBEAM INCORPORATION LIMITED +ooo + +// oracle : 2014-06-19 Oracle Corporation +oracle + +// organic : 2014-03-27 Afilias Limited +organic + +// osaka : 2014-09-04 Interlink Co., Ltd. +osaka + +// otsuka : 2013-10-11 Otsuka Holdings Co., Ltd. +otsuka + +// ovh : 2014-01-16 OVH SAS +ovh + +// page : 2014-12-04 Charleston Road Registry Inc. +page + +// panerai : 2014-11-07 Richemont DNS Inc. +panerai + +// paris : 2014-01-30 City of Paris +paris + +// pars : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +pars + +// partners : 2013-12-05 Magic Glen, LLC +partners + +// parts : 2013-12-05 Sea Goodbye, LLC +parts + +// party : 2014-09-11 Blue Sky Registry Limited +party + +// pharmacy : 2014-06-19 National Association of Boards of Pharmacy +pharmacy + +// philips : 2014-11-07 Koninklijke Philips N.V. +philips + +// photo : 2013-11-14 Uniregistry, Corp. +photo + +// photography : 2013-09-20 Sugar Glen, LLC +photography + +// photos : 2013-10-17 Sea Corner, LLC +photos + +// physio : 2014-05-01 PhysBiz Pty Ltd +physio + +// piaget : 2014-10-16 Richemont DNS Inc. +piaget + +// pics : 2013-11-14 Uniregistry, Corp. +pics + +// pictet : 2014-06-26 Pictet Europe S.A. +pictet + +// pictures : 2014-03-06 Foggy Sky, LLC +pictures + +// pid : 2015-01-08 Top Level Spectrum, Inc. +pid + +// pin : 2014-12-18 Amazon EU S.à r.l. +pin + +// pink : 2013-10-01 Afilias Limited +pink + +// pizza : 2014-06-26 Foggy Moon, LLC +pizza + +// place : 2014-04-24 Snow Galley, LLC +place + +// plumbing : 2013-09-10 Spring Tigers, LLC +plumbing + +// pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +pohl + +// poker : 2014-07-03 Afilias Domains No. 5 Limited +poker + +// porn : 2014-10-16 ICM Registry PN LLC +porn + +// praxi : 2013-12-05 Praxi S.p.A. +praxi + +// press : 2014-04-03 DotPress Inc. +press + +// prod : 2014-01-23 Charleston Road Registry Inc. +prod + +// productions : 2013-12-05 Magic Birch, LLC +productions + +// prof : 2014-07-24 Charleston Road Registry Inc. +prof + +// promo : 2014-12-18 Play.PROMO Oy +promo + +// properties : 2013-12-05 Big Pass, LLC +properties + +// property : 2014-05-22 Uniregistry, Corp. +property + +// pub : 2013-12-12 United TLD Holdco Ltd. +pub + +// qpon : 2013-11-14 dotCOOL, Inc. +qpon + +// quebec : 2013-12-19 PointQuébec Inc +quebec + +// racing : 2014-12-04 Premier Registry Limited +racing + +// read : 2014-12-18 Amazon EU S.à r.l. +read + +// realtor : 2014-05-29 Real Estate Domains LLC +realtor + +// recipes : 2013-10-17 Grand Island, LLC +recipes + +// red : 2013-11-07 Afilias Limited +red + +// redstone : 2014-10-31 Redstone Haute Couture Co., Ltd. +redstone + +// rehab : 2014-03-06 United TLD Holdco Ltd. +rehab + +// reise : 2014-03-13 dotreise GmbH +reise + +// reisen : 2014-03-06 New Cypress, LLC +reisen + +// reit : 2014-09-04 National Association of Real Estate Investment Trusts, Inc. +reit + +// ren : 2013-12-12 Beijing Qianxiang Wangjing Technology Development Co., Ltd. +ren + +// rent : 2014-12-04 DERRent, LLC +rent + +// rentals : 2013-12-05 Big Hollow,LLC +rentals + +// repair : 2013-11-07 Lone Sunset, LLC +repair + +// report : 2013-12-05 Binky Glen, LLC +report + +// republican : 2014-03-20 United TLD Holdco Ltd. +republican + +// rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +rest + +// restaurant : 2014-07-03 Snow Avenue, LLC +restaurant + +// review : 2014-11-20 dot Review Limited +review + +// reviews : 2013-09-13 +reviews + +// rich : 2013-11-21 I-Registry Ltd. +rich + +// ricoh : 2014-11-20 Ricoh Company, Ltd. +ricoh + +// rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO +rio + +// rip : 2014-07-10 United TLD Holdco Ltd. +rip + +// rocher : 2014-12-18 Ferrero Trading Lux S.A. +rocher + +// rocks : 2013-11-14 +rocks + +// rodeo : 2013-12-19 Top Level Domain Holdings Limited +rodeo + +// room : 2014-12-18 Amazon EU S.à r.l. +room + +// rsvp : 2014-05-08 Charleston Road Registry Inc. +rsvp + +// ruhr : 2013-10-02 regiodot GmbH & Co. KG +ruhr + +// ryukyu : 2014-01-09 BusinessRalliart Inc. +ryukyu + +// saarland : 2013-12-12 dotSaarland GmbH +saarland + +// safe : 2014-12-18 Amazon EU S.à r.l. +safe + +// safety : 2015-01-08 Safety Registry Services, LLC. +safety + +// sakura : 2014-12-18 SAKURA Internet Inc. +sakura + +// sale : 2014-10-16 +sale + +// salon : 2014-12-11 Outer Orchard, LLC +salon + +// samsung : 2014-04-03 SAMSUNG SDS CO., LTD +samsung + +// sandvik : 2014-11-13 Sandvik AB +sandvik + +// sandvikcoromant : 2014-11-07 Sandvik AB +sandvikcoromant + +// sanofi : 2014-10-09 Sanofi +sanofi + +// sap : 2014-03-27 SAP AG +sap + +// sapo : 2014-11-07 PT Comunicacoes S.A. +sapo + +// sarl : 2014-07-03 Delta Orchard, LLC +sarl + +// saxo : 2014-10-31 Saxo Bank A/S +saxo + +// sbs : 2014-11-07 SPECIAL BROADCASTING SERVICE CORPORATION +sbs + +// sca : 2014-03-13 SVENSKA CELLULOSA AKTIEBOLAGET SCA (publ) +sca + +// scb : 2014-02-20 The Siam Commercial Bank Public Company Limited (\ +scb + +// schmidt : 2014-04-03 SALM S.A.S. +schmidt + +// scholarships : 2014-04-24 Scholarships.com, LLC +scholarships + +// school : 2014-12-18 Little Galley, LLC +school + +// schule : 2014-03-06 Outer Moon, LLC +schule + +// schwarz : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +schwarz + +// science : 2014-09-11 dot Science Limited +science + +// scor : 2014-10-31 SCOR SE +scor + +// scot : 2014-01-23 Dot Scot Registry Limited +scot + +// seat : 2014-05-22 SEAT, S.A. (Sociedad Unipersonal) +seat + +// seek : 2014-12-04 Seek Limited +seek + +// sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A. +sener + +// services : 2014-02-27 Fox Castle, LLC +services + +// sew : 2014-07-17 SEW-EURODRIVE GmbH & Co KG +sew + +// sex : 2014-11-13 ICM Registry SX LLC +sex + +// sexy : 2013-09-11 Uniregistry, Corp. +sexy + +// sharp : 2014-05-01 Sharp Corporation +sharp + +// shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +shia + +// shiksha : 2013-11-14 Afilias Limited +shiksha + +// shoes : 2013-10-02 Binky Galley, LLC +shoes + +// shouji : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +shouji + +// shriram : 2014-01-23 Shriram Capital Ltd. +shriram + +// singles : 2013-08-27 Fern Madison, LLC +singles + +// site : 2015-01-15 DotSite Inc. +site + +// skin : 2015-01-15 L'Oréal +skin + +// sky : 2014-06-19 Sky IP International Ltd, a company incorporated in England and Wales, operating via its registered Swiss branch +sky + +// skype : 2014-12-18 Microsoft Corporation +skype + +// smile : 2014-12-18 Amazon EU S.à r.l. +smile + +// social : 2013-11-07 United TLD Holdco Ltd. +social + +// software : 2014-03-20 +software + +// sohu : 2013-12-19 Sohu.com Limited +sohu + +// solar : 2013-11-07 Ruby Town, LLC +solar + +// solutions : 2013-11-07 Silver Cover, LLC +solutions + +// sony : 2015-01-08 Sony Corporation +sony + +// soy : 2014-01-23 Charleston Road Registry Inc. +soy + +// space : 2014-04-03 DotSpace Inc. +space + +// spiegel : 2014-02-05 SPIEGEL-Verlag Rudolf Augstein GmbH & Co. KG +spiegel + +// spreadbetting : 2014-12-11 IG Group Holdings PLC +spreadbetting + +// stada : 2014-11-13 STADA Arzneimittel AG +stada + +// star : 2015-01-08 Star India Private Limited +star + +// statoil : 2014-12-04 Statoil ASA +statoil + +// stc : 2014-10-09 Saudi Telecom Company +stc + +// stcgroup : 2014-10-09 Saudi Telecom Company +stcgroup + +// stockholm : 2014-12-18 Stockholms kommun +stockholm + +// storage : 2014-12-22 Self Storage Company LLC +storage + +// study : 2014-12-11 OPEN UNIVERSITIES AUSTRALIA PTY LTD +study + +// style : 2014-12-04 Binky Moon, LLC +style + +// sucks : 2014-12-22 Vox Populi Registry Inc. +sucks + +// supplies : 2013-12-19 Atomic Fields, LLC +supplies + +// supply : 2013-12-19 Half Falls, LLC +supply + +// support : 2013-10-24 Grand Orchard, LLC +support + +// surf : 2014-01-09 Top Level Domain Holdings Limited +surf + +// surgery : 2014-03-20 Tin Avenue, LLC +surgery + +// suzuki : 2014-02-20 SUZUKI MOTOR CORPORATION +suzuki + +// swatch : 2015-01-08 The Swatch Group Ltd +swatch + +// swiss : 2014-10-16 Swiss Confederation +swiss + +// sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet +sydney + +// symantec : 2014-12-04 Symantec Corporation +symantec + +// systems : 2013-11-07 Dash Cypress, LLC +systems + +// tab : 2014-12-04 Tabcorp Holdings Limited +tab + +// taipei : 2014-07-10 Taipei City Government +taipei + +// taobao : 2015-01-15 Alibaba Group Holding Limited +taobao + +// tatar : 2014-04-24 Limited Liability Company \ +tatar + +// tattoo : 2013-08-30 Uniregistry, Corp. +tattoo + +// tax : 2014-03-20 Storm Orchard, LLC +tax + +// tci : 2014-09-12 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +tci + +// technology : 2013-09-13 Auburn Falls +technology + +// telefonica : 2014-10-16 Telefónica S.A. +telefonica + +// temasek : 2014-08-07 Temasek Holdings (Private) Limited +temasek + +// tennis : 2014-12-04 Cotton Bloom, LLC +tennis + +// tienda : 2013-11-14 Victor Manor, LLC +tienda + +// tips : 2013-09-20 Corn Willow, LLC +tips + +// tires : 2014-11-07 Dog Edge, LLC +tires + +// tirol : 2014-04-24 punkt Tirol GmbH +tirol + +// tmall : 2015-01-15 Alibaba Group Holding Limited +tmall + +// today : 2013-09-20 Pearl Woods, LLC +today + +// tokyo : 2013-11-13 GMO Registry, Inc. +tokyo + +// tools : 2013-11-21 Pioneer North, LLC +tools + +// top : 2014-03-20 Jiangsu Bangning Science & Technology Co.,Ltd. +top + +// toray : 2014-12-18 Toray Industries, Inc. +toray + +// toshiba : 2014-04-10 TOSHIBA Corporation +toshiba + +// tours : 2015-01-22 Sugar Station, LLC +tours + +// town : 2014-03-06 Koko Moon, LLC +town + +// toys : 2014-03-06 Pioneer Orchard, LLC +toys + +// trade : 2014-01-23 Elite Registry Limited +trade + +// trading : 2014-12-11 IG Group Holdings PLC +trading + +// training : 2013-11-07 Wild Willow, LLC +training + +// trust : 2014-10-16 +trust + +// tui : 2014-07-03 TUI AG +tui + +// tushu : 2014-12-18 Amazon EU S.à r.l. +tushu + +// ubs : 2014-12-11 UBS AG +ubs + +// university : 2014-03-06 Little Station, LLC +university + +// uno : 2013-09-11 Dot Latin LLC +uno + +// uol : 2014-05-01 UBN INTERNET LTDA. +uol + +// vacations : 2013-12-05 Atomic Tigers, LLC +vacations + +// vana : 2014-12-11 Lifestyle Domain Holdings, Inc. +vana + +// vegas : 2014-01-16 Dot Vegas, Inc. +vegas + +// ventures : 2013-08-27 Binky Lake, LLC +ventures + +// versicherung : 2014-03-20 dotversicherung-registry GmbH +versicherung + +// vet : 2014-03-06 +vet + +// viajes : 2013-10-17 Black Madison, LLC +viajes + +// video : 2014-10-16 +video + +// villas : 2013-12-05 New Sky, LLC +villas + +// vip : 2015-01-22 Minds + Machines Group Limited +vip + +// virgin : 2014-09-25 Virgin Enterprises Limited +virgin + +// vision : 2013-12-05 Koko Station, LLC +vision + +// vista : 2014-09-18 Vistaprint Limited +vista + +// vistaprint : 2014-09-18 Vistaprint Limited +vistaprint + +// viva : 2014-11-07 Saudi Telecom Company +viva + +// vlaanderen : 2014-02-06 DNS.be vzw +vlaanderen + +// vodka : 2013-12-19 Top Level Domain Holdings Limited +vodka + +// vote : 2013-11-21 Monolith Registry LLC +vote + +// voting : 2013-11-13 Valuetainment Corp. +voting + +// voto : 2013-11-21 Monolith Registry LLC +voto + +// voyage : 2013-08-27 Ruby House, LLC +voyage + +// wales : 2014-05-08 Nominet UK +wales + +// walter : 2014-11-13 Sandvik AB +walter + +// wang : 2013-10-24 Zodiac Leo Limited +wang + +// wanggou : 2014-12-18 Amazon EU S.à r.l. +wanggou + +// watch : 2013-11-14 Sand Shadow, LLC +watch + +// watches : 2014-12-22 Richemont DNS Inc. +watches + +// weather : 2015-01-08 The Weather Channel, LLC +weather + +// webcam : 2014-01-23 dot Webcam Limited +webcam + +// website : 2014-04-03 DotWebsite Inc. +website + +// wed : 2013-10-01 Atgron, Inc. +wed + +// wedding : 2014-04-24 Top Level Domain Holdings Limited +wedding + +// whoswho : 2014-02-20 Who's Who Registry +whoswho + +// wien : 2013-10-28 punkt.wien GmbH +wien + +// wiki : 2013-11-07 Top Level Design, LLC +wiki + +// williamhill : 2014-03-13 William Hill Organization Limited +williamhill + +// win : 2014-11-20 First Registry Limited +win + +// windows : 2014-12-18 Microsoft Corporation +windows + +// wme : 2014-02-13 William Morris Endeavor Entertainment, LLC +wme + +// work : 2013-12-19 Top Level Domain Holdings Limited +work + +// works : 2013-11-14 Little Dynamite, LLC +works + +// world : 2014-06-12 Bitter Fields, LLC +world + +// wtc : 2013-12-19 World Trade Centers Association, Inc. +wtc + +// wtf : 2014-03-06 Hidden Way, LLC +wtf + +// xbox : 2014-12-18 Microsoft Corporation +xbox + +// xerox : 2014-10-24 Xerox DNHC LLC +xerox + +// xihuan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +xihuan + +// xin : 2014-12-11 Elegant Leader Limited +xin + +// xn--11b4c3d : 2015-01-15 VeriSign Sarl +कॉम + +// xn--1qqw23a : 2014-01-09 Guangzhou YU Wei Information Technology Co., Ltd. +佛山 + +// xn--30rr7y : 2014-06-12 Excellent First Limited +慈善 + +// xn--3bst00m : 2013-09-13 Eagle Horizon Limited +集团 + +// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED +在线 + +// xn--3pxu8k : 2015-01-15 VeriSign Sarl +点看 + +// xn--42c2d9a : 2015-01-15 VeriSign Sarl +คอม + +// xn--45q11c : 2013-11-21 Zodiac Scorpio Limited +八卦 + +// xn--4gbrim : 2013-10-04 Suhub Electronic Establishment +موقع + +// xn--55qw42g : 2013-11-08 China Organizational Name Administration Center +公益 + +// xn--55qx5d : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +公司 + +// xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited +网站 + +// xn--6frz82g : 2013-09-23 Afilias Limited +移动 + +// xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited +我爱你 + +// xn--80adxhks : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +москва + +// xn--80asehdb : 2013-07-14 CORE Association +онлайн + +// xn--80aswg : 2013-07-14 CORE Association +сайт + +// xn--9dbq2a : 2015-01-15 VeriSign Sarl +קום + +// xn--9et52u : 2014-06-12 RISE VICTORY LIMITED +时尚 + +// xn--b4w605ferd : 2014-08-07 Temasek Holdings (Private) Limited +淡马锡 + +// xn--c1avg : 2013-11-14 Public Interest Registry +орг + +// xn--c2br7g : 2015-01-15 VeriSign Sarl +नेट + +// xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD +삼성 + +// xn--czr694b : 2014-01-16 HU YI GLOBAL INFORMATION RESOURCES(HOLDING) COMPANY.HONGKONG LIMITED +商标 + +// xn--czrs0t : 2013-12-19 Wild Island, LLC +商店 + +// xn--czru2d : 2013-11-21 Zodiac Capricorn Limited +商城 + +// xn--d1acj3b : 2013-11-20 The Foundation for Network Initiatives “The Smart Internet” +дети + +// xn--eckvdtc9d : 2014-12-18 Amazon EU S.à r.l. +ポイント + +// xn--efvy88h : 2014-08-22 Xinhua News Agency Guangdong Branch 新华通讯社广东分社 +新闻 + +// xn--fhbei : 2015-01-15 VeriSign Sarl +كوم + +// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED +中文网 + +// xn--fiq64b : 2013-10-14 CITIC Group Corporation +中信 + +// xn--fjq720a : 2014-05-22 Will Bloom, LLC +娱乐 + +// xn--flw351e : 2014-07-31 Charleston Road Registry Inc. +谷歌 + +// xn--hxt814e : 2014-05-15 Zodiac Libra Limited +网店 + +// xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry +संगठन + +// xn--imr513n : 2014-12-11 HU YI GLOBAL INFORMATION RESOURCES (HOLDING) COMPANY. HONGKONG LIMITED +餐厅 + +// xn--io0a7i : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +网络 + +// xn--j1aef : 2015-01-15 VeriSign Sarl +ком + +// xn--jlq61u9w7b : 2015-01-08 Nokia Corporation +诺基亚 + +// xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V. +飞利浦 + +// xn--kpu716f : 2014-12-22 Richemont DNS Inc. +手表 + +// xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd +手机 + +// xn--mgba3a3ejt : 2014-11-20 Aramco Services Company +ارامكو + +// xn--mgbab2bd : 2013-10-31 CORE Association +بازار + +// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L. +موبايلي + +// xn--mgbt3dhd : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +همراه + +// xn--mk1bu44c : 2015-01-15 VeriSign Sarl +닷컴 + +// xn--mxtq1m : 2014-03-06 Net-Chinese Co., Ltd. +政府 + +// xn--ngbc5azd : 2013-07-13 International Domain Registry Pty. Ltd. +شبكة + +// xn--ngbe9e0a : 2014-12-04 Kuwait Finance House +بيتك + +// xn--nqv7f : 2013-11-14 Public Interest Registry +机构 + +// xn--nqv7fs00ema : 2013-11-14 Public Interest Registry +组织机构 + +// xn--nyqy26a : 2014-11-07 Stable Tone Limited +健康 + +// xn--p1acf : 2013-12-12 Rusnames Limited +рус + +// xn--pbt977c : 2014-12-22 Richemont DNS Inc. +珠宝 + +// xn--pssy2u : 2015-01-15 VeriSign Sarl +大拿 + +// xn--q9jyb4c : 2013-09-17 Charleston Road Registry Inc. +みんな + +// xn--qcka1pmc : 2014-07-31 Charleston Road Registry Inc. +グーグル + +// xn--rhqv96g : 2013-09-11 Stable Tone Limited +世界 + +// xn--ses554g : 2014-01-16 +网址 + +// xn--t60b56a : 2015-01-15 VeriSign Sarl +닷넷 + +// xn--tckwe : 2015-01-15 VeriSign Sarl +コム + +// xn--unup4y : 2013-07-14 Spring Fields, LLC +游戏 + +// xn--vermgensberater-ctb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberater + +// xn--vermgensberatung-pwb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberatung + +// xn--vhquv : 2013-08-27 Dash McCook, LLC +企业 + +// xn--vuq861b : 2014-10-16 Beijing Tele-info Network Technology Co., Ltd. +信息 + +// xn--xhq521b : 2013-11-14 Guangzhou YU Wei Information Technology Co., Ltd. +广东 + +// xn--zfr164b : 2013-11-08 China Organizational Name Administration Center +政务 + +// xyz : 2013-12-05 XYZ.COM LLC +xyz + +// yachts : 2014-01-09 DERYachts, LLC +yachts + +// yamaxun : 2014-12-18 Amazon EU S.à r.l. +yamaxun + +// yandex : 2014-04-10 YANDEX, LLC +yandex + +// yodobashi : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +yodobashi + +// yoga : 2014-05-29 Top Level Domain Holdings Limited +yoga + +// yokohama : 2013-12-12 GMO Registry, Inc. +yokohama + +// youtube : 2014-05-01 Charleston Road Registry Inc. +youtube + +// yun : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +yun + +// zara : 2014-11-07 Industria de Diseño Textil, S.A. (INDITEX, S.A.) +zara + +// zero : 2014-12-18 Amazon EU S.à r.l. +zero + +// zip : 2014-05-08 Charleston Road Registry Inc. +zip + +// zone : 2013-11-14 Outer Falls, LLC +zone + +// zuerich : 2014-11-07 Kanton Zürich (Canton of Zurich) +zuerich + + +// ===END ICANN DOMAINS=== +// ===BEGIN PRIVATE DOMAINS=== + +// Amazon CloudFront : https://aws.amazon.com/cloudfront/ +// Submitted by Donavan Miller 2013-03-22 +cloudfront.net + +// Amazon Elastic Compute Cloud: https://aws.amazon.com/ec2/ +// Submitted by Osman Surkatty 2014-12-16 +ap-northeast-1.compute.amazonaws.com +ap-southeast-1.compute.amazonaws.com +ap-southeast-2.compute.amazonaws.com +cn-north-1.compute.amazonaws.cn +compute.amazonaws.cn +compute.amazonaws.com +compute-1.amazonaws.com +eu-west-1.compute.amazonaws.com +eu-central-1.compute.amazonaws.com +sa-east-1.compute.amazonaws.com +us-east-1.amazonaws.com +us-gov-west-1.compute.amazonaws.com +us-west-1.compute.amazonaws.com +us-west-2.compute.amazonaws.com +z-1.compute-1.amazonaws.com +z-2.compute-1.amazonaws.com + +// Amazon Elastic Beanstalk : https://aws.amazon.com/elasticbeanstalk/ +// Submitted by Adam Stein 2013-04-02 +elasticbeanstalk.com + +// Amazon Elastic Load Balancing : https://aws.amazon.com/elasticloadbalancing/ +// Submitted by Scott Vidmar 2013-03-27 +elb.amazonaws.com + +// Amazon S3 : https://aws.amazon.com/s3/ +// Submitted by Courtney Eckhardt 2013-03-22 +s3.amazonaws.com +s3-us-west-2.amazonaws.com +s3-us-west-1.amazonaws.com +s3-eu-west-1.amazonaws.com +s3-ap-southeast-1.amazonaws.com +s3-ap-southeast-2.amazonaws.com +s3-ap-northeast-1.amazonaws.com +s3-sa-east-1.amazonaws.com +s3-us-gov-west-1.amazonaws.com +s3-fips-us-gov-west-1.amazonaws.com +s3-website-us-east-1.amazonaws.com +s3-website-us-west-2.amazonaws.com +s3-website-us-west-1.amazonaws.com +s3-website-eu-west-1.amazonaws.com +s3-website-ap-southeast-1.amazonaws.com +s3-website-ap-southeast-2.amazonaws.com +s3-website-ap-northeast-1.amazonaws.com +s3-website-sa-east-1.amazonaws.com +s3-website-us-gov-west-1.amazonaws.com + +// BetaInABox +// Submitted by adrian@betainabox.com 2012-09-13 +betainabox.com + +// CentralNic : http://www.centralnic.com/names/domains +// Submitted by registry 2012-09-27 +ae.org +ar.com +br.com +cn.com +com.de +com.se +de.com +eu.com +gb.com +gb.net +hu.com +hu.net +jp.net +jpn.com +kr.com +mex.com +no.com +qc.com +ru.com +sa.com +se.com +se.net +uk.com +uk.net +us.com +uy.com +za.bz +za.com + +// Africa.com Web Solutions Ltd : https://registry.africa.com +// Submitted by Gavin Brown 2014-02-04 +africa.com + +// iDOT Services Limited : http://www.domain.gr.com +// Submitted by Gavin Brown 2014-02-04 +gr.com + +// Radix FZC : http://domains.in.net +// Submitted by Gavin Brown 2014-02-04 +in.net + +// US REGISTRY LLC : http://us.org +// Submitted by Gavin Brown 2014-02-04 +us.org + +// co.com Registry, LLC : https://registry.co.com +// Submitted by Gavin Brown 2014-02-04 +co.com + +// c.la : http://www.c.la/ +c.la + +// cloudControl : https://www.cloudcontrol.com/ +// Submitted by Tobias Wilken 2013-07-23 +cloudcontrolled.com +cloudcontrolapp.com + +// co.ca : http://registry.co.ca/ +co.ca + +// CoDNS B.V. +co.nl +co.no + +// Commerce Guys, SAS +// Submitted by Damien Tournoud 2015-01-22 +*.platform.sh + +// Cupcake : https://cupcake.io/ +// Submitted by Jonathan Rudenberg 2013-10-08 +cupcake.is + +// DreamHost : http://www.dreamhost.com/ +// Submitted by Andrew Farmer 2012-10-02 +dreamhosters.com + +// DynDNS.com : http://www.dyndns.com/services/dns/dyndns/ +dyndns-at-home.com +dyndns-at-work.com +dyndns-blog.com +dyndns-free.com +dyndns-home.com +dyndns-ip.com +dyndns-mail.com +dyndns-office.com +dyndns-pics.com +dyndns-remote.com +dyndns-server.com +dyndns-web.com +dyndns-wiki.com +dyndns-work.com +dyndns.biz +dyndns.info +dyndns.org +dyndns.tv +at-band-camp.net +ath.cx +barrel-of-knowledge.info +barrell-of-knowledge.info +better-than.tv +blogdns.com +blogdns.net +blogdns.org +blogsite.org +boldlygoingnowhere.org +broke-it.net +buyshouses.net +cechire.com +dnsalias.com +dnsalias.net +dnsalias.org +dnsdojo.com +dnsdojo.net +dnsdojo.org +does-it.net +doesntexist.com +doesntexist.org +dontexist.com +dontexist.net +dontexist.org +doomdns.com +doomdns.org +dvrdns.org +dyn-o-saur.com +dynalias.com +dynalias.net +dynalias.org +dynathome.net +dyndns.ws +endofinternet.net +endofinternet.org +endoftheinternet.org +est-a-la-maison.com +est-a-la-masion.com +est-le-patron.com +est-mon-blogueur.com +for-better.biz +for-more.biz +for-our.info +for-some.biz +for-the.biz +forgot.her.name +forgot.his.name +from-ak.com +from-al.com +from-ar.com +from-az.net +from-ca.com +from-co.net +from-ct.com +from-dc.com +from-de.com +from-fl.com +from-ga.com +from-hi.com +from-ia.com +from-id.com +from-il.com +from-in.com +from-ks.com +from-ky.com +from-la.net +from-ma.com +from-md.com +from-me.org +from-mi.com +from-mn.com +from-mo.com +from-ms.com +from-mt.com +from-nc.com +from-nd.com +from-ne.com +from-nh.com +from-nj.com +from-nm.com +from-nv.com +from-ny.net +from-oh.com +from-ok.com +from-or.com +from-pa.com +from-pr.com +from-ri.com +from-sc.com +from-sd.com +from-tn.com +from-tx.com +from-ut.com +from-va.com +from-vt.com +from-wa.com +from-wi.com +from-wv.com +from-wy.com +ftpaccess.cc +fuettertdasnetz.de +game-host.org +game-server.cc +getmyip.com +gets-it.net +go.dyndns.org +gotdns.com +gotdns.org +groks-the.info +groks-this.info +ham-radio-op.net +here-for-more.info +hobby-site.com +hobby-site.org +home.dyndns.org +homedns.org +homeftp.net +homeftp.org +homeip.net +homelinux.com +homelinux.net +homelinux.org +homeunix.com +homeunix.net +homeunix.org +iamallama.com +in-the-band.net +is-a-anarchist.com +is-a-blogger.com +is-a-bookkeeper.com +is-a-bruinsfan.org +is-a-bulls-fan.com +is-a-candidate.org +is-a-caterer.com +is-a-celticsfan.org +is-a-chef.com +is-a-chef.net +is-a-chef.org +is-a-conservative.com +is-a-cpa.com +is-a-cubicle-slave.com +is-a-democrat.com +is-a-designer.com +is-a-doctor.com +is-a-financialadvisor.com +is-a-geek.com +is-a-geek.net +is-a-geek.org +is-a-green.com +is-a-guru.com +is-a-hard-worker.com +is-a-hunter.com +is-a-knight.org +is-a-landscaper.com +is-a-lawyer.com +is-a-liberal.com +is-a-libertarian.com +is-a-linux-user.org +is-a-llama.com +is-a-musician.com +is-a-nascarfan.com +is-a-nurse.com +is-a-painter.com +is-a-patsfan.org +is-a-personaltrainer.com +is-a-photographer.com +is-a-player.com +is-a-republican.com +is-a-rockstar.com +is-a-socialist.com +is-a-soxfan.org +is-a-student.com +is-a-teacher.com +is-a-techie.com +is-a-therapist.com +is-an-accountant.com +is-an-actor.com +is-an-actress.com +is-an-anarchist.com +is-an-artist.com +is-an-engineer.com +is-an-entertainer.com +is-by.us +is-certified.com +is-found.org +is-gone.com +is-into-anime.com +is-into-cars.com +is-into-cartoons.com +is-into-games.com +is-leet.com +is-lost.org +is-not-certified.com +is-saved.org +is-slick.com +is-uberleet.com +is-very-bad.org +is-very-evil.org +is-very-good.org +is-very-nice.org +is-very-sweet.org +is-with-theband.com +isa-geek.com +isa-geek.net +isa-geek.org +isa-hockeynut.com +issmarterthanyou.com +isteingeek.de +istmein.de +kicks-ass.net +kicks-ass.org +knowsitall.info +land-4-sale.us +lebtimnetz.de +leitungsen.de +likes-pie.com +likescandy.com +merseine.nu +mine.nu +misconfused.org +mypets.ws +myphotos.cc +neat-url.com +office-on-the.net +on-the-web.tv +podzone.net +podzone.org +readmyblog.org +saves-the-whales.com +scrapper-site.net +scrapping.cc +selfip.biz +selfip.com +selfip.info +selfip.net +selfip.org +sells-for-less.com +sells-for-u.com +sells-it.net +sellsyourhome.org +servebbs.com +servebbs.net +servebbs.org +serveftp.net +serveftp.org +servegame.org +shacknet.nu +simple-url.com +space-to-rent.com +stuff-4-sale.org +stuff-4-sale.us +teaches-yoga.com +thruhere.net +traeumtgerade.de +webhop.biz +webhop.info +webhop.net +webhop.org +worse-than.tv +writesthisblog.com + +// Fastly Inc. http://www.fastly.com/ +// Submitted by Vladimir Vuksan 2013-05-31 +a.ssl.fastly.net +b.ssl.fastly.net +global.ssl.fastly.net +a.prod.fastly.net +global.prod.fastly.net + +// Firebase, Inc. +// Submitted by Chris Raynor 2014-01-21 +firebaseapp.com + +// Flynn : https://flynn.io +// Submitted by Jonathan Rudenberg 2014-07-12 +flynnhub.com + +// GitHub, Inc. +// Submitted by Ben Toews 2014-02-06 +github.io +githubusercontent.com + +// GlobeHosting, Inc. +// Submitted by Zoltan Egresi 2013-07-12 +ro.com + +// Google, Inc. +// Submitted by Eduardo Vela 2014-12-19 +appspot.com +blogspot.ae +blogspot.be +blogspot.bj +blogspot.ca +blogspot.cf +blogspot.ch +blogspot.co.at +blogspot.co.il +blogspot.co.nz +blogspot.co.uk +blogspot.com +blogspot.com.ar +blogspot.com.au +blogspot.com.br +blogspot.com.es +blogspot.com.tr +blogspot.cv +blogspot.cz +blogspot.de +blogspot.dk +blogspot.fi +blogspot.fr +blogspot.gr +blogspot.hk +blogspot.hu +blogspot.ie +blogspot.in +blogspot.it +blogspot.jp +blogspot.kr +blogspot.mr +blogspot.mx +blogspot.nl +blogspot.no +blogspot.pt +blogspot.re +blogspot.ro +blogspot.ru +blogspot.se +blogspot.sg +blogspot.sk +blogspot.td +blogspot.tw +codespot.com +googleapis.com +googlecode.com +pagespeedmobilizer.com +withgoogle.com + +// Heroku : https://www.heroku.com/ +// Submitted by Tom Maher 2013-05-02 +herokuapp.com +herokussl.com + +// iki.fi +// Submitted by Hannu Aronsson 2009-11-05 +iki.fi + +// info.at : http://www.info.at/ +biz.at +info.at + +// Michau Enterprises Limited : http://www.co.pl/ +co.pl + +// Microsoft : http://microsoft.com +// Submitted by Barry Dorrans 2014-01-24 +azurewebsites.net +azure-mobile.net +cloudapp.net + +// NFSN, Inc. : https://www.NearlyFreeSpeech.NET/ +// Submitted by Jeff Wheelhouse 2014-02-02 +nfshost.com + +// NYC.mn : http://www.information.nyc.mn +// Submitted by Matthew Brown 2013-03-11 +nyc.mn + +// One Fold Media : http://www.onefoldmedia.com/ +// Submitted by Eddie Jones 2014-06-10 +nid.io + +// Opera Software, A.S.A. +// Submitted by Yngve Pettersen 2009-11-26 +operaunite.com + +// OutSystems +// Submitted by Duarte Santos 2014-03-11 +outsystemscloud.com + +// .pl domains (grandfathered) +art.pl +gliwice.pl +krakow.pl +poznan.pl +wroc.pl +zakopane.pl + +// Red Hat, Inc. OpenShift : https://openshift.redhat.com/ +// Submitted by Tim Kramer 2012-10-24 +rhcloud.com + +// GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains +// Submitted by David Illsley 2014-08-28 +service.gov.uk + +// priv.at : http://www.nic.priv.at/ +// Submitted by registry 2008-06-09 +priv.at + +// TASK geographical domains (www.task.gda.pl/uslugi/dns) +gda.pl +gdansk.pl +gdynia.pl +med.pl +sopot.pl + +// UDR Limited : http://www.udr.hk.com +// Submitted by registry 2014-11-07 +hk.com +hk.org +ltd.hk +inc.hk + +// Yola : https://www.yola.com/ +// Submitted by Stefano Rivera 2014-07-09 +yolasite.com + +// ZaNiC : http://www.za.net/ +// Submitted by registry 2009-10-03 +za.net +za.org + +// ===END PRIVATE DOMAINS=== \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-DataLoads/README.md b/opensoc-streaming/OpenSOC-DataLoads/README.md new file mode 100644 index 0000000000..773d6db80c --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataLoads/README.md @@ -0,0 +1,50 @@ +# OpenSOC-DataLoads + +This project is a collection of classes to assist with loading of various enrichment sources into OpenSOC. + +## Threat Intel Enrichment + +Threat Intel enrichment data sources can be loaded into OpenSOC using the ThreatIntelLoader class and an implementation of a ThreatIntelSource interface. Both are described below. + +### ThreatIntelSource Interface + +This inteface extends the Iterator interface and must implement the following methods: + +`void initializeSource(Configuration config);` + +Put any setup that needs to be done here. This will be called by ThreatIntelLoader before attempting to fetch any data from the source. The paramter config is a Configuration object created from the configuration file passed to ThreatIntelLoader. See the ThreatIntelLoader section below for more details + +`void cleanupSource();` + +This is called after all data is retrieved, just before ThreatIntelLoader exists. Perform any clean up here if needed. + +`JSONObject next()` + +This method should return the next piece of intel to be stored in OpenSOC. The returned JSONObject must have the following fields: + +* indicator - The indicator that will be checked against during enrichment. For example, and IP Address or a Hostname. +* source - The source of the data, which can be any unique string to identify the origin of the intel. This will be the column qualifer in HBase and be used to group matches on in Storm +* data - A JSONArray of JSONObjects that detail the intel for the indicator. The JSONObjects have no required format + + +`boolean hasNext()` + +Returns true if there are more sources to read. Otherwise, false. + + +### ThreatIntelLoader + +This class is intenteded to be called from the commandline on the OpenSOC cluster and is responsible for taking intel from a ThreatIntelSource implementation and putting them into HBase. + +#### Usage + +```` +usage: ThreatIntelLoader [--configFile ] --source --table + --configFile Configuration file for source class + --source Source class to use + --table HBase table to load into +```` + +* configFile - the file passed in by this class is used to provide configuration options to the ThreatIntelSource implementation being used. +* source - the implementation of ThreatIntelSource to use +* table - the hbase table to store the threat intel in for enrichment later. This should match what the corresponding enrichment bolt is using in Storm diff --git a/opensoc-streaming/OpenSOC-DataLoads/dependency-reduced-pom.xml b/opensoc-streaming/OpenSOC-DataLoads/dependency-reduced-pom.xml deleted file mode 100644 index 679e46abad..0000000000 --- a/opensoc-streaming/OpenSOC-DataLoads/dependency-reduced-pom.xml +++ /dev/null @@ -1,145 +0,0 @@ - - - - OpenSOC-Streaming - com.opensoc - 0.3BETA-SNAPSHOT - - 4.0.0 - OpenSOC-DataLoads - - src - - - src - - **/*.java - - - - - - maven-compiler-plugin - 3.1 - - 1.7 - 1.7 - - - - maven-shade-plugin - 2.3 - - - package - - shade - - - - - classworlds:classworlds - junit:junit - jmock:* - *:xml-apis - org.apache.maven:lib:tests - log4j:log4j:jar: - *:hbase:* - - - - - - - - - - - org.apache.storm - storm-core - 0.9.2-incubating - provided - - - clojure - org.clojure - - - clj-time - clj-time - - - compojure - compojure - - - hiccup - hiccup - - - ring-devel - ring - - - ring-jetty-adapter - ring - - - tools.logging - org.clojure - - - math.numeric-tower - org.clojure - - - tools.cli - org.clojure - - - commons-exec - org.apache.commons - - - curator-framework - org.apache.curator - - - carbonite - com.twitter - - - snakeyaml - org.yaml - - - httpclient - org.apache.httpcomponents - - - disruptor - com.googlecode.disruptor - - - jgrapht-core - org.jgrapht - - - logback-classic - ch.qos.logback - - - log4j-over-slf4j - org.slf4j - - - - - junit - junit - 3.8.2 - compile - - - - diff --git a/opensoc-streaming/OpenSOC-DataLoads/pom.xml b/opensoc-streaming/OpenSOC-DataLoads/pom.xml index 44df7677c4..c51c045fbf 100644 --- a/opensoc-streaming/OpenSOC-DataLoads/pom.xml +++ b/opensoc-streaming/OpenSOC-DataLoads/pom.xml @@ -15,28 +15,41 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-DataLoads - + UTF-8 + UTF-8 com.opensoc OpenSOC-Common - ${parent.version} + ${project.parent.version} org.apache.storm storm-core ${global_storm_version} provided + + + servlet-api + javax.servlet + + org.apache.hbase hbase-client ${global_hbase_version} + + + log4j + log4j + + @@ -69,15 +82,18 @@ shade + true classworlds:classworlds junit:junit jmock:* *:xml-apis + *slf4j* org.apache.maven:lib:tests log4j:log4j:jar: *:hbase:* + org.apache.hadoop.yarn.util.package-info* diff --git a/opensoc-streaming/OpenSOC-DataLoads/src/com/opensoc/dataloads/cif/HBaseTableLoad.java b/opensoc-streaming/OpenSOC-DataLoads/src/com/opensoc/dataloads/cif/HBaseTableLoad.java deleted file mode 100644 index cdf0541f87..0000000000 --- a/opensoc-streaming/OpenSOC-DataLoads/src/com/opensoc/dataloads/cif/HBaseTableLoad.java +++ /dev/null @@ -1,122 +0,0 @@ -package com.opensoc.dataloads.cif; - -import java.io.BufferedReader; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.util.ArrayList; -import java.util.List; -import java.util.Map; -import java.util.zip.GZIPInputStream; - -import org.json.simple.parser.JSONParser; -import org.json.simple.parser.ParseException; -import org.apache.hadoop.hbase.HBaseConfiguration; -import org.apache.hadoop.hbase.client.*; -import org.apache.hadoop.hbase.util.Bytes; -import org.apache.hadoop.conf.Configuration; - -import java.io.BufferedInputStream; - -public class HBaseTableLoad { - - private static Configuration conf = null; - private final static String hbaseTable = "cif_table"; - /** - * Initialization - */ - static { - conf = HBaseConfiguration.create(); - } - - public static void main(String[] args) { - - LoadDirHBase(args[0]); - - } - - public static void LoadDirHBase(String dirName) { - System.out.println("Working on:" + dirName); - File folder = new File(dirName); - File[] listOfFiles = folder.listFiles(); - - for (int i = 0; i < listOfFiles.length; i++) { - File file = listOfFiles[i]; - - if (file.isFile() && file.getName().endsWith(".gz")) { - - // e.g. folder name is infrastructure_botnet. Col Qualifier is - // botnet and col_family is infrastructure - - String col_family = folder.getName().split("_")[0]; - String col_qualifier = folder.getName().split("_")[1]; - - // Open gz file - try { - InputStream input = new BufferedInputStream( - new GZIPInputStream(new FileInputStream(file))); - - HBaseBulkPut(input, col_family, col_qualifier); - - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (ParseException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - } else if (file.isDirectory()) // if sub-directory then call the - // function recursively - LoadDirHBase(file.getAbsolutePath()); - } - } - - /** - * @param input - * @param hbaseTable - * @param col_family - * @throws IOException - * @throws ParseException - * - * - * Inserts all json records picked up from the inputStream - */ - public static void HBaseBulkPut(InputStream input, String col_family, - String col_qualifier) throws IOException, ParseException { - - HTable table = new HTable(conf, hbaseTable); - JSONParser parser = new JSONParser(); - - BufferedReader br = new BufferedReader(new InputStreamReader(input)); - String jsonString; - List allputs = new ArrayList(); - Map json; - - while ((jsonString = br.readLine()) != null) { - - try { - - json = (Map) parser.parse(jsonString); - } catch (ParseException e) { - //System.out.println("Unable to Parse: " +jsonString); - continue; - } - // Iterator iter = json.entrySet().iterator(); - - // Get Address - either IP/domain or email and make that the Key - Put put = new Put(Bytes.toBytes((String) json.get("address"))); - - // We are just adding a "Y" flag to mark this address - put.add(Bytes.toBytes(col_family), Bytes.toBytes(col_qualifier), - Bytes.toBytes("Y")); - - allputs.add(put); - } - table.put(allputs); - System.out.println("---------------Values------------------" - + hbaseTable); - table.close(); - } -} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/ThreatIntelLoader.java b/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/ThreatIntelLoader.java new file mode 100644 index 0000000000..c602d0cf93 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/ThreatIntelLoader.java @@ -0,0 +1,174 @@ +package com.opensoc.dataloads; + + +import java.io.File; +import java.io.IOException; +import java.io.InterruptedIOException; +import java.util.ArrayList; + +import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.BasicParser; +import org.apache.commons.cli.HelpFormatter; +import org.apache.commons.cli.Options; +import org.apache.commons.cli.OptionBuilder; +import org.apache.commons.configuration.PropertiesConfiguration; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.log4j.Logger; +import org.json.simple.JSONObject; +import org.json.simple.JSONArray; + +import com.opensoc.dataloads.interfaces.ThreatIntelSource; + +public class ThreatIntelLoader { + + + private static final Logger LOG = Logger.getLogger(ThreatIntelLoader.class); + + private static int BULK_SIZE = 50; + + public static void main(String[] args) { + + PropertiesConfiguration sourceConfig = null; + ThreatIntelSource threatIntelSource = null; + ArrayList putList = null; + HTable table = null; + Configuration hConf = null; + + CommandLine commandLine = parseCommandLine(args); + File configFile = new File(commandLine.getOptionValue("configFile")); + + try { + sourceConfig = new PropertiesConfiguration(configFile); + } catch (org.apache.commons.configuration.ConfigurationException e) { + LOG.error("Error in configuration file " + configFile); + LOG.error(e); + System.exit(-1); + } + + try { + threatIntelSource = (ThreatIntelSource) Class.forName(commandLine.getOptionValue("source")).newInstance(); + threatIntelSource.initializeSource(sourceConfig); + } catch (ClassNotFoundException|InstantiationException|IllegalAccessException e) { + LOG.error("Error while trying to load class " + commandLine.getOptionValue("source")); + LOG.error(e); + System.exit(-1); + } + + hConf = HBaseConfiguration.create(); + try { + table = new HTable(hConf, commandLine.getOptionValue("table")); + } catch (IOException e) { + LOG.error("Exception when processing HBase config"); + LOG.error(e); + System.exit(-1); + } + + + putList = new ArrayList(); + + while (threatIntelSource.hasNext()) { + + JSONObject intel = threatIntelSource.next(); + + /* + * If any of the required fields from threatIntelSource are + * missing, or contain invalid data, don't put it in HBase. + */ + try { + + putList.add(putRequestFromIntel(intel)); + + if (putList.size() == BULK_SIZE) { + table.put(putList); + putList.clear(); + } + + } catch (NullPointerException|ClassCastException e) { + LOG.error("Exception while processing intel object"); + LOG.error(intel.toString()); + LOG.error(e); + } catch (InterruptedIOException|org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException e) { + LOG.error("Problem communicationg with HBase"); + LOG.error(e); + System.exit(-1); + } + } + + } + /* + * Takes a JSONObject from a ThreatIntelSource implementation, ensures + * that the format of the returned JSONObect is correct, and returns + * a Put request for HBase. + * + * @param intel The JSONObject from a ThreatIntelSource + * @return A put request for the intel data + * @throws NullPointerException If a required field is missing + * @throws ClassCastException If a field has an invalid type + * + */ + private static Put putRequestFromIntel(JSONObject intel) { + + Put tempPut = new Put(Bytes.toBytes((String) intel.get("indicator"))); + + JSONArray intelArray = (JSONArray) intel.get("data"); + + tempPut.add(Bytes.toBytes("source"), + Bytes.toBytes((String) intel.get("source")), + Bytes.toBytes(intelArray.toString())); + + return tempPut; + } + /* + * Handles parsing of command line options and validates the options are used + * correctly. This will not validate the value of the options, it will just + * ensure that the required options are used. If the options are used + * incorrectly, the help is printed, and the program exits. + * + * @param args The arguments from the CLI + * @return A CommandLine with the CLI arguments + * + */ + private static CommandLine parseCommandLine(String[] args) { + + CommandLineParser parser = new BasicParser(); + CommandLine cli = null; + + Options options = new Options(); + + options.addOption(OptionBuilder.withArgName("s"). + withLongOpt("source"). + isRequired(true). + hasArg(true). + withDescription("Source class to use"). + create() + ); + options.addOption(OptionBuilder.withArgName("t"). + withLongOpt("table"). + isRequired(true). + hasArg(true). + withDescription("HBase table to load into"). + create() + ); + options.addOption(OptionBuilder.withArgName("c"). + withLongOpt("configFile"). + hasArg(true). + withDescription("Configuration file for source class"). + create() + ); + + try { + cli = parser.parse(options, args); + } catch(org.apache.commons.cli.ParseException e) { + HelpFormatter formatter = new HelpFormatter(); + formatter.printHelp("ThreatIntelLoader", options, true); + System.exit(-1); + } + + return cli; + } +} diff --git a/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/cif/HBaseTableLoad.java b/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/cif/HBaseTableLoad.java new file mode 100644 index 0000000000..5e456e4d4e --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataLoads/src/main/java/com/opensoc/dataloads/cif/HBaseTableLoad.java @@ -0,0 +1,238 @@ +package com.opensoc.dataloads.cif; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.zip.GZIPInputStream; +import java.util.zip.ZipInputStream; + +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.*; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.hadoop.conf.Configuration; +import org.apache.log4j.Logger; +import org.apache.commons.cli.BasicParser; +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.Options; + +import java.io.BufferedInputStream; + +public class HBaseTableLoad { + + private static final Logger LOG = Logger.getLogger(HBaseTableLoad.class); + private static Configuration conf = null; + private String hbaseTable = "cif_table"; + private String dirName = "./"; + private boolean usefileList = false; + private Set files; + + /** + * Initialization + */ + static { + conf = HBaseConfiguration.create(); + } + + public static void main(String[] args) { + + HBaseTableLoad ht = new HBaseTableLoad(); + + ht.parse(args); + //ht.LoadDirHBase(); + + } + + private void LoadDirHBase() { + LOG.info("Working on:" + dirName); + File folder = new File(dirName); + File[] listOfFiles = folder.listFiles(); + InputStream input; + + for (int i = 0; i < listOfFiles.length; i++) { + File file = listOfFiles[i]; + + if (file.isFile()) { + + // Check if filename is present in FileList + if (usefileList) + if (!files.contains(file.getAbsolutePath())) + continue; + + // e.g. folder name is infrastructure_botnet. Col Qualifier is + // botnet and col_family is infrastructure + + String col_family = folder.getName().split("_")[0]; + String col_qualifier = folder.getName().split("_")[1]; + + // Open file + try { + if (file.getName().endsWith(".gz")) + input = new BufferedInputStream(new GZIPInputStream( + new FileInputStream(file))); + else if (file.getName().endsWith(".zip")) + input = new BufferedInputStream(new ZipInputStream( + new FileInputStream(file))); + else if (file.getName().endsWith(".json")) + input = new BufferedInputStream((new FileInputStream( + file))); + else + continue; + + LOG.info("Begin Loading File:" + file.getAbsolutePath()); + + HBaseBulkPut(input, col_family, col_qualifier); + LOG.info("Completed Loading File:" + file.getAbsolutePath()); + + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (ParseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } else if (file.isDirectory()) // if sub-directory then call the + // function recursively + this.LoadDirHBase(file.getAbsolutePath()); + } + } + + private void LoadDirHBase(String dirname) { + + this.dirName = dirname; + this.LoadDirHBase(); + + } + + /** + * @param input + * @param hbaseTable + * @param col_family + * @throws IOException + * @throws ParseException + * + * + * Inserts all json records picked up from the inputStream + */ + private void HBaseBulkPut(InputStream input, String col_family, + String col_qualifier) throws IOException, ParseException { + + HTable table = new HTable(conf, hbaseTable); + JSONParser parser = new JSONParser(); + + BufferedReader br = new BufferedReader(new InputStreamReader(input)); + String jsonString; + List allputs = new ArrayList(); + Map json; + + while ((jsonString = br.readLine()) != null) { + + try { + + json = (Map) parser.parse(jsonString); + } catch (ParseException e) { + // System.out.println("Unable to Parse: " +jsonString); + continue; + } + // Iterator iter = json.entrySet().iterator(); + + // Get Address - either IP/domain or email and make that the Key + Put put = new Put(Bytes.toBytes((String) json.get("address"))); + + // We are just adding a "Y" flag to mark this address + put.add(Bytes.toBytes(col_family), Bytes.toBytes(col_qualifier), + Bytes.toBytes("Y")); + + allputs.add(put); + } + table.put(allputs); + table.close(); + } + + private void printUsage() { + System.out + .println("Usage: java -cp JarFile com.opensoc.dataloads.cif.HBaseTableLoad -d -t -f "); + } + + private void parse(String[] args) { + CommandLineParser parser = new BasicParser(); + Options options = new Options(); + + options.addOption("d", true, "description"); + options.addOption("t", true, "description"); + options.addOption("f", false, "description"); + + CommandLine cmd = null; + try { + cmd = parser.parse(options, args); + + if (cmd.hasOption("d")) + { + this.dirName = cmd.getOptionValue("d"); + LOG.info("Directory Name:" + cmd.getOptionValue("d")); + } + else { + LOG.info("Missing Directory Name"); + printUsage(); + System.exit(-1); + } + + if (cmd.hasOption("t")) + { + this.hbaseTable = cmd.getOptionValue("t"); + LOG.info("HBase Table Name:" + cmd.getOptionValue("t")); + } + else { + LOG.info("Missing Table Name"); + printUsage(); + System.exit(-1); + } + + if (cmd.hasOption("f")) { + this.usefileList = true; + files = LoadFileList(cmd.getOptionValue("f")); + LOG.info("FileList:" + cmd.getOptionValue("f")); + } + + } catch (org.apache.commons.cli.ParseException e) { + LOG.error("Failed to parse comand line properties", e); + e.printStackTrace(); + System.exit(-1); + } + } + + private Set LoadFileList(String filename) { + + Set output = null; + BufferedReader reader; + + try { + reader = new BufferedReader(new InputStreamReader( + new FileInputStream(filename))); + output = new HashSet(); + String in = ""; + + while ((in = reader.readLine()) != null) + output.add(in); + + reader.close(); + + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + return output; + } + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-DataLoads/src/hbase-site.xml b/opensoc-streaming/OpenSOC-DataLoads/src/main/resources/hbase-site.xml similarity index 100% rename from opensoc-streaming/OpenSOC-DataLoads/src/hbase-site.xml rename to opensoc-streaming/OpenSOC-DataLoads/src/main/resources/hbase-site.xml diff --git a/opensoc-streaming/OpenSOC-DataServices/README.md b/opensoc-streaming/OpenSOC-DataServices/README.md new file mode 100644 index 0000000000..e845566c06 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataServices/README.md @@ -0,0 +1 @@ +README diff --git a/opensoc-streaming/OpenSOC-DataServices/pom.xml b/opensoc-streaming/OpenSOC-DataServices/pom.xml index 56b7372e61..14c51eb949 100644 --- a/opensoc-streaming/OpenSOC-DataServices/pom.xml +++ b/opensoc-streaming/OpenSOC-DataServices/pom.xml @@ -1,21 +1,238 @@ - 4.0.0 - com.opensoc + + com.opensoc + OpenSOC-Streaming + 0.6BETA + + + 4.0.0 OpenSOC-DataServices 1.0-SNAPSHOT 1.6.4 + 1.10 + 1.8.3 + 2.1.1 + 3.0.0.RELEASE + 3.2.6.RELEASE + + + Kraken-Repo + Kraken Repository + http://download.krakenapps.org + + + + org.krakenapps + kraken-pcap + 1.5.0 + provided + + + slf4j-simple + org.slf4j + + + + + + com.opensoc + OpenSOC-Common + ${parent.version} + + + + junit + junit + ${junit.version} + test + + + org.powermock + powermock-api-mockito + 1.5 + test + + + org.powermock + powermock-core + 1.5 + test + + + org.powermock + powermock-module-junit4 + 1.5 + test + + + joda-time + joda-time + 2.3 + + + org.springframework.integration + spring-integration-http + ${spring.integration.version} + + + org.springframework + spring-webmvc + ${spring.version} + + + org.apache.hbase + hbase-client + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hbase + hbase-testing-util + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + jsp-api + javax.servlet.jsp + + + servlet-api + javax.servlet + + + servlet-api-2.5 + org.mortbay.jetty + + + jackson-jaxrs + org.codehaus.jackson + + + jersey-core + com.sun.jersey + + + jasper-compiler + tomcat + + + jasper-runtime + tomcat + + + jsp-2.1 + org.mortbay.jetty + + + jsp-api-2.1 + org.mortbay.jetty + + + + + org.apache.hadoop + hadoop-common + ${global_hadoop_version} + provided + + + jsp-api + javax.servlet.jsp + + + servlet-api + javax.servlet + + + jackson-jaxrs + org.codehaus.jackson + + + jersey-core + com.sun.jersey + + + jasper-compiler + tomcat + + + jasper-runtime + tomcat + + + + + org.apache.hadoop + hadoop-hdfs + ${global_hadoop_version} + provided + + + jsp-api + javax.servlet.jsp + + + servlet-api + javax.servlet + + + jersey-core + com.sun.jersey + + + jasper-runtime + tomcat + + + + + + org.elasticsearch elasticsearch 1.3.1 + + commons-beanutils + commons-beanutils + ${commons-beanutils.version} + + + org.apache.commons + commons-jexl + ${commons-jexl.version} + + + + commons-configuration + commons-configuration + ${commons-configuration.version} + + + org.slf4j + slf4j-api + + + + commons-codec commons-codec @@ -46,6 +263,12 @@ org.eclipse.jetty apache-jsp 9.2.1.v20140609 + + + javax.servlet.jsp-api + javax.servlet.jsp + + org.eclipse.jetty @@ -137,7 +360,7 @@ org.slf4j slf4j-log4j12 - 1.6.4 + ${slf4j.version} org.apache.shiro @@ -160,6 +383,7 @@ slf4j-api ${slf4j.version} + @@ -275,4 +499,4 @@ - \ No newline at end of file + diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsProcessingServer.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsProcessingServer.java index 3cf6246b82..cec50b9276 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsProcessingServer.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsProcessingServer.java @@ -11,7 +11,6 @@ import org.slf4j.LoggerFactory; import com.google.inject.Inject; -import com.opensoc.dataservices.Main; public class AlertsProcessingServer { diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsSearcher.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsSearcher.java index 15db7041ea..4a23395275 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsSearcher.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/alerts/server/AlertsSearcher.java @@ -7,9 +7,7 @@ import java.io.IOException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.ArrayList; import java.util.HashMap; -import java.util.List; import java.util.Map; import java.util.Properties; diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaClient.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaClient.java index 7874f19047..7b61ba08e1 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaClient.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaClient.java @@ -7,16 +7,14 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; -import org.eclipse.jetty.websocket.api.RemoteEndpoint; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.opensoc.dataservices.Main; - import kafka.consumer.ConsumerConfig; import kafka.consumer.KafkaStream; import kafka.javaapi.consumer.ConsumerConnector; +import org.eclipse.jetty.websocket.api.RemoteEndpoint; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + public class KafkaClient { private static final Logger logger = LoggerFactory.getLogger( KafkaClient.class ); diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaConsumer.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaConsumer.java index 0e01f1d1f8..ca2f113986 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaConsumer.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/kafkaclient/KafkaConsumer.java @@ -2,15 +2,13 @@ import java.io.IOException; +import kafka.consumer.ConsumerIterator; +import kafka.consumer.KafkaStream; + import org.eclipse.jetty.websocket.api.RemoteEndpoint; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.opensoc.dataservices.Main; - -import kafka.consumer.ConsumerIterator; -import kafka.consumer.KafkaStream; - public class KafkaConsumer implements Runnable { private static final Logger logger = LoggerFactory.getLogger( KafkaConsumer.class ); diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/DefaultServletModule.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/DefaultServletModule.java index 3e6d3b52a2..68ce111549 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/DefaultServletModule.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/DefaultServletModule.java @@ -9,7 +9,6 @@ import com.google.inject.Singleton; import com.google.inject.servlet.ServletModule; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; import com.opensoc.dataservices.servlet.LoginServlet; import com.opensoc.dataservices.servlet.LogoutServlet; import com.opensoc.dataservices.websocket.KafkaMessageSenderServlet; diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/RestEasyModule.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/RestEasyModule.java index 14dfdb8e78..a9efce840a 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/RestEasyModule.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/RestEasyModule.java @@ -4,11 +4,9 @@ import org.slf4j.LoggerFactory; import com.google.inject.AbstractModule; -import com.google.inject.Binder; -import com.google.inject.Module; import com.opensoc.dataservices.auth.RestSecurityInterceptor; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; import com.opensoc.dataservices.rest.Index; +import com.opensoc.pcapservice.PcapReceiverImplRestEasy; public class RestEasyModule extends AbstractModule { @@ -18,6 +16,7 @@ public class RestEasyModule extends AbstractModule { protected void configure() { bind( Index.class ); + bind( PcapReceiverImplRestEasy.class ); bind( RestSecurityInterceptor.class ); } } diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/ServiceModule.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/ServiceModule.java index 527167489a..8c7e01dc6b 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/ServiceModule.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/modules/guice/ServiceModule.java @@ -8,7 +8,6 @@ import com.google.inject.Provides; import com.opensoc.dataservices.common.OpenSOCService; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; import com.opensoc.services.alerts.ElasticSearch_KafkaAlertsService; import com.opensoc.services.alerts.Solr_KafkaAlertsService; diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/rest/RestServices.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/rest/RestServices.java index 650b6d45a3..4029214725 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/rest/RestServices.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/rest/RestServices.java @@ -8,8 +8,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; - public class RestServices extends Application { private static final Logger logger = LoggerFactory.getLogger( RestServices.class ); diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/servlet/LogoutServlet.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/servlet/LogoutServlet.java index 0754f3a91e..dbc13c7500 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/servlet/LogoutServlet.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/servlet/LogoutServlet.java @@ -9,18 +9,10 @@ import javax.servlet.http.HttpServletResponse; import org.apache.shiro.SecurityUtils; -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.ExcessiveAttemptsException; -import org.apache.shiro.authc.IncorrectCredentialsException; -import org.apache.shiro.authc.LockedAccountException; -import org.apache.shiro.authc.UnknownAccountException; -import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; - public class LogoutServlet extends HttpServlet { private static final Logger logger = LoggerFactory.getLogger( LogoutServlet.class ); diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderServlet.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderServlet.java index 90820d2542..5823e18ae3 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderServlet.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderServlet.java @@ -8,7 +8,6 @@ import org.slf4j.LoggerFactory; import com.google.inject.Inject; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; @WebServlet(name = "Message Sender Servlet", urlPatterns = { "/messages" }) public class KafkaMessageSenderServlet extends WebSocketServlet diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderSocket.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderSocket.java index 7a055ef6c2..97a61f6737 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderSocket.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaMessageSenderSocket.java @@ -13,9 +13,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.inject.Inject; import com.opensoc.dataservices.kafkaclient.KafkaClient; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; @WebSocket(maxTextMessageSize = 64 * 1024) public class KafkaMessageSenderSocket diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaWebSocketCreator.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaWebSocketCreator.java index 2239afc8ba..575fbfea2d 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaWebSocketCreator.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/dataservices/websocket/KafkaWebSocketCreator.java @@ -12,7 +12,6 @@ import com.google.inject.Inject; import com.opensoc.dataservices.auth.AuthToken; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; public class KafkaWebSocketCreator implements WebSocketCreator { diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/CellTimestampComparator.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java similarity index 75% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/CellTimestampComparator.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java index 18bf0e5913..e45d8491ee 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/CellTimestampComparator.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java @@ -1,11 +1,11 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.util.Comparator; import org.apache.hadoop.hbase.Cell; /** - * Comparator created for sorting pcaps cells based on the timestamp (dsc). + * Comparator created for sorting pcaps cells based on the timestamp (asc). * * @author Sayi */ @@ -16,8 +16,8 @@ public class CellTimestampComparator implements Comparator { * * @see java.util.Comparator#compare(java.lang.Object, java.lang.Object) */ - @Override + public int compare(Cell o1, Cell o2) { - return Long.valueOf(o2.getTimestamp()).compareTo(o1.getTimestamp()); + return Long.valueOf(o1.getTimestamp()).compareTo(o2.getTimestamp()); } } diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/ConfigurationUtil.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/ConfigurationUtil.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java index 7a1d48674a..be1a1bf4ab 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/ConfigurationUtil.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java @@ -1,10 +1,12 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import org.apache.commons.configuration.Configuration; import org.apache.hadoop.hbase.util.Bytes; import org.springframework.util.Assert; -import com.cisco.opensoc.common.config.ConfigurationManager; +import com.opensoc.configuration.ConfigurationManager; + + /** * utility class for this module which loads commons configuration to fetch diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigConstants.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java similarity index 96% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigConstants.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java index 826bddab8d..a7e7e3b805 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigConstants.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; /** * HBase configuration properties. diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtil.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java similarity index 99% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtil.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java index c92a3e4064..8a5c022e83 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtil.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java @@ -1,7 +1,7 @@ /** * */ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.IOException; diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapGetter.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapGetter.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapGetter.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapGetter.java index 7dd9c1e3af..dbff59c330 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapGetter.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapGetter.java @@ -1,7 +1,7 @@ /** * */ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.IOException; import java.util.List; diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapScanner.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapScanner.java similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapScanner.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapScanner.java index c8c19ef883..64408e9e9d 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapScanner.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/IPcapScanner.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.IOException; diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImpl.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImpl.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java index 9d85639c32..b06137dc9b 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImpl.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java @@ -1,7 +1,8 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.File; import java.io.IOException; +import java.net.URISyntaxException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -11,6 +12,12 @@ import java.util.Map; import java.util.Set; +import javax.annotation.Resource; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Response; + import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.hbase.Cell; @@ -39,6 +46,8 @@ * @author sheetal * @version $Revision: 1.0 $ */ + +@Path("/") public class PcapGetterHBaseImpl implements IPcapGetter { /** The pcap getter h base. */ @@ -54,7 +63,16 @@ public class PcapGetterHBaseImpl implements IPcapGetter { * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.util.List, * java.lang.String, long, long, boolean, boolean, long) */ - @Override + + + @GET + @Path("pcap/test") + @Produces("text/html") + public Response index() throws URISyntaxException { + return Response.ok("ALL GOOD").build(); + } + + public PcapsResponse getPcaps(List keys, String lastRowKey, long startTime, long endTime, boolean includeReverseTraffic, boolean includeDuplicateLastRow, long maxResultSize) throws IOException { @@ -107,7 +125,7 @@ public PcapsResponse getPcaps(List keys, String lastRowKey, * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.lang.String, long, * long, boolean) */ - @Override + public PcapsResponse getPcaps(String key, long startTime, long endTime, boolean includeReverseTraffic) throws IOException { Assert.hasText(key, "key must not be null or empty"); @@ -120,7 +138,7 @@ public PcapsResponse getPcaps(String key, long startTime, long endTime, * * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.util.List) */ - @Override + public PcapsResponse getPcaps(List keys) throws IOException { Assert.notEmpty(keys, "'keys' must not be null or empty"); return getPcaps(keys, null, -1, -1, @@ -133,7 +151,7 @@ public PcapsResponse getPcaps(List keys) throws IOException { * * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.lang.String) */ - @Override + public PcapsResponse getPcaps(String key) throws IOException { Assert.hasText(key, "key must not be null or empty"); return getPcaps(Arrays.asList(key), null, -1, -1, @@ -195,6 +213,7 @@ List sortKeysByAscOrder(List keys, * @return the list */ @VisibleForTesting +public List removeDuplicateKeys(List keys) { Set set = new HashSet(keys); return new ArrayList(set); diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapHelper.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapHelper.java similarity index 99% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapHelper.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapHelper.java index 469974fcb4..522494517f 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapHelper.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapHelper.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.util.ArrayList; import java.util.List; diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java new file mode 100644 index 0000000000..55c6b78113 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java @@ -0,0 +1,256 @@ +package com.opensoc.pcapservice; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; + +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import com.google.common.annotations.VisibleForTesting; +import com.opensoc.dataservices.auth.AuthTokenFilter; +import com.opensoc.pcap.PcapUtils; + +@Path("/pcap/") +public class PcapReceiverImplRestEasy { + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(PcapReceiverImplRestEasy.class); + + /** The Constant HEADER_CONTENT_DISPOSITION_NAME. */ + private static final String HEADER_CONTENT_DISPOSITION_NAME = "Content-Disposition"; + + /** The Constant HEADER_CONTENT_DISPOSITION_VALUE. */ + private static final String HEADER_CONTENT_DISPOSITION_VALUE = "attachment; filename=\"managed-threat.pcap\""; + + /** partial response key header name. */ + private static final String HEADER_PARTIAL_RESPONE_KEY = "lastRowKey"; + + @AuthTokenFilter + @GET + @Path("/pcapGetter/getPcapsByKeys") + public Response getPcapsByKeys( + @QueryParam("keys") List keys, + @QueryParam("lastRowKey") String lastRowKey, + @DefaultValue("-1") @QueryParam("startTime") long startTime, + @DefaultValue("-1") @QueryParam("endTime") long endTime, + @QueryParam("includeDuplicateLastRow") boolean includeDuplicateLastRow, + @QueryParam("includeReverseTraffic") boolean includeReverseTraffic, + @QueryParam("maxResponseSize") String maxResponseSize, + @Context HttpServletResponse response) throws IOException { + PcapsResponse pcapResponse = null; + + LOGGER.debug( "/pcapGetter/getPcapsByKeys"); + + if (keys == null || keys.size() == 0) { + LOGGER.debug( "no keys provided" ); + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'keys' must not be null or empty").build(); + } + + try { + IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); + pcapResponse = pcapGetter.getPcaps(parseKeys(keys), lastRowKey, + startTime, endTime, includeReverseTraffic, + includeDuplicateLastRow, + ConfigurationUtil.validateMaxResultSize(maxResponseSize)); + LOGGER.info("pcaps response in REST layer =" + + pcapResponse.toString()); + + // return http status '204 No Content' if the pcaps response size is + // 0 + if (pcapResponse == null || pcapResponse.getResponseSize() == 0) { + + return Response.status(Response.Status.NO_CONTENT).build(); + } + + // return http status '206 Partial Content', the partial response + // file and + // 'lastRowKey' header , if the pcaps response status is 'PARTIAL' + + response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + if (pcapResponse.getStatus() == PcapsResponse.Status.PARTIAL) { + + response.setHeader(HEADER_PARTIAL_RESPONE_KEY, + pcapResponse.getLastRowKey()); + + return Response + .ok(pcapResponse.getPcaps(), + MediaType.APPLICATION_OCTET_STREAM).status(206) + .build(); + + } + + } catch (IOException e) { + LOGGER.error( + "Exception occurred while fetching Pcaps for the keys :" + + keys.toString(), e); + throw e; + } + + // return http status '200 OK' along with the complete pcaps response + // file, + // and headers + // return new ResponseEntity(pcapResponse.getPcaps(), headers, + // HttpStatus.OK); + + return Response + .ok(pcapResponse.getPcaps(), MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + + } + + @AuthTokenFilter + @GET + @Path("/pcapGetter/getPcapsByKeyRange") + + public Response getPcapsByKeyRange( + @QueryParam("startKey") String startKey, + @QueryParam("endKey")String endKey, + @QueryParam("maxResponseSize") String maxResponseSize, + @DefaultValue("-1") @QueryParam("startTime")long startTime, + @DefaultValue("-1") @QueryParam("endTime") long endTime, + @Context HttpServletResponse servlet_response) throws IOException { + + if (startKey == null || startKey.isEmpty()) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'start key' must not be null or empty").build(); + + if (endKey == null || endKey.isEmpty()) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'end key' must not be null or empty").build(); + + + byte[] response = null; + try { + IPcapScanner pcapScanner = PcapScannerHBaseImpl.getInstance(); + response = pcapScanner.getPcaps(startKey, endKey, + ConfigurationUtil.validateMaxResultSize(maxResponseSize), startTime, + endTime); + if (response == null || response.length == 0) { + + return Response.status(Response.Status.NO_CONTENT).entity("No Data").build(); + + } + servlet_response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + } catch (IOException e) { + LOGGER.error( + "Exception occurred while fetching Pcaps for the key range : startKey=" + + startKey + ", endKey=" + endKey, e); + throw e; + } + // return http status '200 OK' along with the complete pcaps response file, + // and headers + + return Response + .ok(response, MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + } + + /* + * (non-Javadoc) + * + * @see + * com.cisco.opensoc.hbase.client.IPcapReceiver#getPcapsByIdentifiers(java.lang + * .String, java.lang.String, java.lang.String, java.lang.String, + * java.lang.String, long, long, boolean, + * javax.servlet.http.HttpServletResponse) + */ + @AuthTokenFilter + @GET + @Path("/pcapGetter/getPcapsByIdentifiers") + + public Response getPcapsByIdentifiers( + @QueryParam ("srcIp") String srcIp, + @QueryParam ("dstIp") String dstIp, + @QueryParam ("protocol") String protocol, + @QueryParam ("srcPort") String srcPort, + @QueryParam ("dstPort") String dstPort, + @DefaultValue("-1") @QueryParam ("startTime")long startTime, + @DefaultValue("-1") @QueryParam ("endTime")long endTime, + @DefaultValue("false") @QueryParam ("includeReverseTraffic") boolean includeReverseTraffic, + @Context HttpServletResponse servlet_response) + + throws IOException { + + if (srcIp == null || srcIp.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'srcIp' must not be null or empty").build(); + + if (dstIp == null || dstIp.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'dstIp' must not be null or empty").build(); + + if (protocol == null || protocol.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'protocol' must not be null or empty").build(); + + if (srcPort == null || srcPort.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'srcPort' must not be null or empty").build(); + + if (dstPort == null || dstPort.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'dstPort' must not be null or empty").build(); + + + PcapsResponse response = null; + try { + String sessionKey = PcapUtils.getSessionKey(srcIp, dstIp, protocol, + srcPort, dstPort); + LOGGER.info("sessionKey =" + sessionKey); + IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); + response = pcapGetter.getPcaps(Arrays.asList(sessionKey), null, + startTime, endTime, includeReverseTraffic, false, + ConfigurationUtil.getDefaultResultSize()); + if (response == null || response.getResponseSize() == 0) { + return Response.status(Response.Status.NO_CONTENT).build(); + } + servlet_response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + } catch (IOException e) { + LOGGER.error("Exception occurred while fetching Pcaps by identifiers :", + e); + throw e; + } + // return http status '200 OK' along with the complete pcaps response file, + // and headers + return Response + .ok(response.getPcaps(), MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + } + /** + * This method parses the each value in the List using delimiter ',' and + * builds a new List;. + * + * @param keys + * list of keys to be parsed + * @return list of keys + */ + @VisibleForTesting + List parseKeys(List keys) { + // Assert.notEmpty(keys); + List parsedKeys = new ArrayList(); + for (String key : keys) { + parsedKeys.addAll(Arrays.asList(StringUtils.split( + StringUtils.trim(key), ","))); + } + return parsedKeys; + } +} diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImpl.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImpl.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java index 5e0649eef4..b1f017981e 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImpl.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -19,8 +19,8 @@ import org.apache.log4j.Logger; import org.springframework.util.Assert; -import com.cisco.opensoc.pcap.parsing.PcapMerger; import com.google.common.annotations.VisibleForTesting; +import com.opensoc.pcap.PcapMerger; /** * Singleton class which integrates with HBase table and returns sorted pcaps @@ -49,7 +49,7 @@ public class PcapScannerHBaseImpl implements IPcapScanner { * @see com.cisco.opensoc.hbase.client.IPcapScanner#getPcaps(java.lang.String, * java.lang.String, long, long, long) */ - @Override + public byte[] getPcaps(String startKey, String endKey, long maxResultSize, long startTime, long endTime) throws IOException { Assert.hasText(startKey, "startKey must no be null or empty"); @@ -221,7 +221,7 @@ private int getConnectionRetryLimit() { * @see com.cisco.opensoc.hbase.client.IPcapScanner#getPcaps(java.lang.String, * java.lang.String) */ - @Override + public byte[] getPcaps(String startKey, String endKey) throws IOException { Assert.hasText(startKey, "startKey must no be null or empty"); Assert.hasText(endKey, "endKey must no be null or empty"); diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapsResponse.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapsResponse.java similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapsResponse.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapsResponse.java index a8c8d1b334..10af9e0dec 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapsResponse.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/PcapsResponse.java @@ -1,14 +1,16 @@ /** * */ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.ArrayList; import java.util.List; -import com.cisco.opensoc.pcap.parsing.PcapMerger; +import com.opensoc.pcap.PcapMerger; + + /** * Holds pcaps data, status and the partial response key. diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/RestTestingUtil.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java similarity index 99% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/RestTestingUtil.java rename to opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java index f8e82d326e..651affeae9 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/RestTestingUtil.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.util.HashMap; import java.util.Map; diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java new file mode 100644 index 0000000000..1fdb0252e5 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java @@ -0,0 +1,26 @@ +package com.opensoc.pcapservice.rest; + +import java.util.HashSet; +import java.util.Set; + +import javax.ws.rs.core.Application; + +import com.opensoc.pcapservice.PcapReceiverImplRestEasy; + +public class JettyServiceRunner extends Application { + + + private static Set services = new HashSet(); + + public JettyServiceRunner() { + // initialize restful services + services.add(new PcapReceiverImplRestEasy()); + } + @Override + public Set getSingletons() { + return services; + } + public static Set getServices() { + return services; + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/PcapService.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/PcapService.java new file mode 100644 index 0000000000..5f47ead134 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/pcapservice/rest/PcapService.java @@ -0,0 +1,34 @@ +package com.opensoc.pcapservice.rest; + +import java.io.IOException; + +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.servlet.ServletContextHandler; +import org.eclipse.jetty.servlet.ServletHolder; +import org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher; + +import com.opensoc.helpers.services.PcapServiceCli; + + +public class PcapService { + + public static void main(String[] args) throws IOException { + + PcapServiceCli cli = new PcapServiceCli(args); + cli.parse(); + + Server server = new Server(cli.getPort()); + ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS); + context.setContextPath("/"); + ServletHolder h = new ServletHolder(new HttpServletDispatcher()); + h.setInitParameter("javax.ws.rs.Application", "com.opensoc.pcapservice.rest.JettyServiceRunner"); + context.addServlet(h, "/*"); + server.setHandler(context); + try { + server.start(); + server.join(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/services/alerts/ElasticSearch_KafkaAlertsService.java b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/services/alerts/ElasticSearch_KafkaAlertsService.java index a4a7fc056a..69ec5bce8f 100644 --- a/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/services/alerts/ElasticSearch_KafkaAlertsService.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/java/com/opensoc/services/alerts/ElasticSearch_KafkaAlertsService.java @@ -6,7 +6,6 @@ import org.slf4j.LoggerFactory; import com.opensoc.dataservices.common.OpenSOCService; -import com.opensoc.dataservices.kafkaclient.KafkaConsumer; @Singleton public class ElasticSearch_KafkaAlertsService implements OpenSOCService { diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/config-definition-hbase.xml b/opensoc-streaming/OpenSOC-DataServices/src/main/resources/config-definition-hbase.xml similarity index 100% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/config-definition-hbase.xml rename to opensoc-streaming/OpenSOC-DataServices/src/main/resources/config-definition-hbase.xml diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/hbase-config-default.properties b/opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-config-default.properties similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/hbase-config-default.properties rename to opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-config-default.properties index e9924ee85e..4ee56b6622 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/hbase-config-default.properties +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-config-default.properties @@ -17,7 +17,7 @@ hbase.scan.default.result.size=6 hbase.scan.max.result.size=60 # time stamp conversion configuration; possible values 'SECONDS'(seconds), 'MILLIS'(milli seconds), 'MICROS' (micro seconds) -hbase.table.data.time.unit=MICROS +hbase.table.data.time.unit=MILLIS #number of retries in case of ZooKeeper or HBase server down hbase.hconnection.retries.number=3 diff --git a/opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-site.xml b/opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-site.xml new file mode 100644 index 0000000000..5c3c8197b7 --- /dev/null +++ b/opensoc-streaming/OpenSOC-DataServices/src/main/resources/hbase-site.xml @@ -0,0 +1,127 @@ + + + + hbase.tmp.dir + /disk/h/hbase + + + hbase.hregion.memstore.chunkpool.maxsize + 0.5 + + + hbase.regionserver.codecs + lzo,gz,snappy + + + hbase.hstore.flush.retries.number + 120 + + + hbase.client.keyvalue.maxsize + 10485760 + + + hbase.rootdir + hdfs://nn1:8020/apps/hbase/data + + + hbase.defaults.for.version.skip + true + + + hbase.client.scanner.caching + 100 + + + hbase.superuser + hbase + + + hfile.block.cache.size + 0.40 + + + hbase.regionserver.checksum.verify + true + + + hbase.hregion.memstore.mslab.enabled + true + + + hbase.hregion.max.filesize + 107374182400 + + + hbase.cluster.distributed + true + + + zookeeper.session.timeout + 30000 + + + zookeeper.znode.parent + /hbase-unsecure + + + hbase.regionserver.global.memstore.lowerLimit + 0.38 + + + hbase.regionserver.handler.count + 240 + + + hbase.hregion.memstore.mslab.chunksize + 8388608 + + + hbase.zookeeper.quorum + zkpr1,zkpr2,zkpr3 + + + hbase.zookeeper.useMulti + true + + + hbase.hregion.majorcompaction + 86400000 + + + hbase.hstore.blockingStoreFiles + 200 + + + hbase.zookeeper.property.clientPort + 2181 + + + hbase.hregion.memstore.flush.size + 134217728 + + + hbase.security.authorization + false + + + hbase.regionserver.global.memstore.upperLimit + 0.4 + + + hbase.hstore.compactionThreshold + 4 + + + hbase.hregion.memstore.block.multiplier + 8 + + + hbase.security.authentication + simple + + + dfs.client.read.shortcircuit + true + + \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/CellTimestampComparatorTest.java b/opensoc-streaming/OpenSOC-DataServices/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java similarity index 85% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/CellTimestampComparatorTest.java rename to opensoc-streaming/OpenSOC-DataServices/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java index 639af33544..c2a4bf2ec5 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/CellTimestampComparatorTest.java +++ b/opensoc-streaming/OpenSOC-DataServices/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import junit.framework.Assert; @@ -8,7 +8,7 @@ import org.junit.Test; import org.mockito.Mockito; -import com.cisco.opensoc.hbase.client.CellTimestampComparator; +import com.opensoc.pcapservice.CellTimestampComparator; /** * The Class CellTimestampComparatorTest. @@ -49,7 +49,7 @@ public void test_less() { CellTimestampComparator comparator = new CellTimestampComparator(); // actual call and verify - Assert.assertTrue(comparator.compare(cell1, cell2) == -1); + Assert.assertTrue(comparator.compare(cell2, cell1) == -1); } @@ -67,7 +67,7 @@ public void test_greater() { CellTimestampComparator comparator = new CellTimestampComparator(); // actual call and verify - Assert.assertTrue(comparator.compare(cell1, cell2) == 1); + Assert.assertTrue(comparator.compare(cell2, cell1) == 1); } @@ -85,7 +85,7 @@ public void test_equal() { CellTimestampComparator comparator = new CellTimestampComparator(); // actual call and verify - Assert.assertTrue(comparator.compare(cell1, cell2) == 0); + Assert.assertTrue(comparator.compare(cell2, cell1) == 0); } diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/pom.xml b/opensoc-streaming/OpenSOC-EnrichmentAdapters/pom.xml index 2f52ad88df..fb21130fdd 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/pom.xml +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/pom.xml @@ -15,22 +15,24 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-EnrichmentAdapters + UTF-8 + UTF-8 5.1.31 1.7.7 0.96.1-hadoop2 - 0.1.2 + 0.1.2 17.0 com.opensoc OpenSOC-Common - ${parent.version} + ${project.parent.version} org.slf4j @@ -62,12 +64,24 @@ org.apache.hadoop hadoop-hdfs ${global_hadoop_version} + + + servlet-api + javax.servlet + + org.apache.storm storm-core ${global_storm_version} provided + + + servlet-api + javax.servlet + + com.google.guava @@ -78,56 +92,74 @@ org.apache.hadoop hadoop-common ${global_hadoop_version} + + + servlet-api + javax.servlet + + + + + junit + junit + ${global_junit_version} + + + commons-validator + commons-validator + 1.4.0 - - junit - junit - 3.8.2 - - - commons-validator - commons-validator - 1.4.0 - - - + - - - - org.apache.maven.plugins - maven-surefire-plugin - - - - mode - local - - - - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - 2.7 - - - false - - - - org.codehaus.mojo - emma-maven-plugin - 1.0-alpha-3 - - - org.apache.maven.plugins - maven-pmd-plugin - - 1.7 - - - - + + + + org.apache.maven.plugins + maven-surefire-plugin + + + + mode + global + + + + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.7 + + + false + + + + org.codehaus.mojo + emma-maven-plugin + 1.0-alpha-3 + + + org.apache.maven.plugins + maven-pmd-plugin + + 1.7 + + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.1 + + 1.7 + 1.7 + + + + diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/readme.md b/opensoc-streaming/OpenSOC-EnrichmentAdapters/readme.md new file mode 100644 index 0000000000..7c08218718 --- /dev/null +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/readme.md @@ -0,0 +1,125 @@ +#OpenSOC-Enrichments + +##Module Description + +This module enables enrichment of message metafields with additional information from various enrichment sources. Currently there is only a limited number of enrichments available, but this is an extensible framework that can be extended with additional enrichments. Enrichments currently available are geo, whois, hosts, and CIF. + +##Message Format + +Enrichment bolts are designed to go after the parser bolts. Parser bolts will parse the telemetry, taking it from its native format and producing a standard JSON that would look like so: + +```json +{ +"message": +{"ip_src_addr": xxxx, +"ip_dst_addr": xxxx, +"ip_src_port": xxxx, +"ip_dst_port": xxxx, +"protocol": xxxx, +"additional-field 1": xxx, +} + +} +``` + +A single enrichment bolt would enrich the message and produce a JSON enrichment and attach it to the message. Enrichments are stackable so multiple enrichments can be attached sequentially after a single parser bolt. Stacked enrichments would produce messages under the "enrichment" tag and attach it to the message like so: + +```json +{ +"message": +{"ip_src_addr": xxxx, +"ip_dst_addr": xxxx, +"ip_src_port": xxxx, +"ip_dst_port": xxxx, +"protocol": xxxx, +"additional-field 1": xxxx, +}, +"enrichment" : {"geo": xxxx, "whois": xxxx, "hosts": xxxxx, "CIF": "xxxxx"} + +} +``` + +##Enrichment Sources + +Each enrichment has to have an anrichment source which can serve as a lookup table for enriching relevant message fields. In order to minimize the use of additional platforms and tools we primarily try to rely on HBase as much as possible to store the enrichment information for lookup by key. In order to use Hbase we have to pre-process the enrichment feeds for bulk-loading into HBase with specific key format optimized for retrieval as well as utilize caches within the enrichment bolts to be able to provide enrichments real-time. Our wiki contains information on how to setup the environment, pre-process feeds, and plug in the enrichment sources. + +##Enrichment Bolt + +The enrichment bolt is designed to be extensible to be re-used for all kinds of enrichment processes. The bolt signature for declaration in a storm topology is as follows: + + + +``` +GenericEnrichmentBolt geo_enrichment = new GenericEnrichmentBolt() +.withEnrichmentTag( +config.getString("bolt.enrichment.geo.enrichment_tag")) +.withAdapter(geo_adapter) +.withMaxTimeRetain( +config.getInt("bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES")) +.withMaxCacheSize( +config.getInt("bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM")) +.withKeys(geo_keys).withMetricConfiguration(config); + +``` + +EnrichmentTag - Name of the enrichment (geo, whois, hosts, etc) +Keys - Keys which this enrichment is able to enrich (hosts field for hosts enrichment, source_ip, dest_ip, for geo enrichment, etc) +MaxTimeToRetain & MaxCacheSize - define the caching policy of the enrichment bolt +Adapter - which adapter to use with the enrichment bolt instance + +###Geo Adapter +Geo adapter is able to do geo enrichment on hosts and destination IPs. The open source verison of the geo adapter uses the free Geo feeds from MaxMind. The format of these feeds does not easily lend itself to a no-sql DB so this adapter is designed to work with mySql. But it is extensible enough to be made work with a variety of other back ends. + +The signature of a geo adapter is as follows; + +``` +GeoMysqlAdapter geo_adapter = new GeoMysqlAdapter( +config.getString("mysql.ip"), config.getInt("mysql.port"), +config.getString("mysql.username"), +config.getString("mysql.password"), +config.getString("bolt.enrichment.geo.adapter.table")); + +``` + +###Hosts Adapter +The hosts adapter is designed to enrich message format with the static host information that can be read from a standard text file. This adapter is intended for use with a network crawling script that can identify all customer assets and place them in a text file. For example, this script would identify all workstations, printers, appliantces, etc. Then if any of these assets are seen in the telemetry messages flowing through the adapter this enrichment would fire and the relevant known information about a host would be attached. We are currently working on porting this adapter to work with HBase, but this work is not ready yet. The known hosts file is located under the /etc/whitelists config directory of OpenSOC. + +The signature of the hosts adapter is as follows: + +``` +Map known_hosts = SettingsLoader +.loadKnownHosts(hosts_path); + +HostFromPropertiesFileAdapter host_adapter = new HostFromPropertiesFileAdapter( +known_hosts); + +``` +* The source and dest ips refer to the name of the message JSON key where the host information is located + +###Whois Adapter +Whois adapter enriches the host name with additional whois information obtained from our proprietary Cisco feed. The enricher itself is provided in this open source distribution, but the feed is not. You have to have your own feed in order to use it. Alternatively, you can contact us for providing you with this feed, but we would have to charge you a fee (we can't distribute it for free). The implemetation of the whois enrichment we provide works with HBase + +The signature of the whois adapter is as follows: + +``` + +EnrichmentAdapter whois_adapter = new WhoisHBaseAdapter( +config.getString("bolt.enrichment.whois.hbase.table.name"), +config.getString("kafka.zk.list"), +config.getString("kafka.zk.port")); +``` + +###CIF Adapter +CIF adapter is designed to take in CIF feeds and cross-reference them against every message processed by Storm. If there is a hit then the relevant information is attached to the message. + +The signature of the CIF adapter is as follows: + +``` +CIFHbaseAdapter = new CIFHbaseAdapter(config +.getString("kafka.zk.list"), config +.getString("kafka.zk.port"), config +.getString("bolt.enrichment.cif.tablename"))) +``` + +##Stacking Enrichments +Enrichments can be stacked. By default each enrichment bolt listens on the "message" stream. In order to create and stack enrichment bolts create a new bolt and instantiate the appropariate adapter. You can look at our sample topologies to see how enrichments can be stacked \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapter.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapter.java index cfb66739a1..d62632b9bd 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapter.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapter.java @@ -35,7 +35,7 @@ public class GeoMysqlAdapter extends AbstractGeoAdapter { private String _username; private String _password; private String _tablename; - InetAddressValidator ipvalidator = new InetAddressValidator(); + private InetAddressValidator ipvalidator = new InetAddressValidator(); public GeoMysqlAdapter(String ip, int port, String username, String password, String tablename) { @@ -141,6 +141,8 @@ public JSONObject enrich(String metadata) { jo.put("longitude", resultSet.getString("longitude")); jo.put("dmaCode", resultSet.getString("dmaCode")); jo.put("locID", resultSet.getString("locID")); + + jo.put("location_point", jo.get("longitude") + "," + jo.get("latitude")); _LOG.debug("Returning enrichment: " + jo); @@ -172,7 +174,6 @@ public boolean initializeAdapter() { _LOG.info("[OpenSOC] Set JDBC connection...."); - return true; } catch (Exception e) { e.printStackTrace(); diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/host/HostFromPropertiesFileAdapter.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/host/HostFromPropertiesFileAdapter.java index b393fb5aef..e6f693a034 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/host/HostFromPropertiesFileAdapter.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/host/HostFromPropertiesFileAdapter.java @@ -21,6 +21,7 @@ import org.json.simple.JSONObject; +@SuppressWarnings("serial") public class HostFromPropertiesFileAdapter extends AbstractHostAdapter { Map _known_hosts; @@ -40,7 +41,8 @@ public boolean initializeAdapter() return false; } - @Override + @SuppressWarnings("unchecked") + @Override public JSONObject enrich(String metadata) { diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/AbstractThreatAdapter.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/AbstractThreatAdapter.java new file mode 100644 index 0000000000..395ee48b8c --- /dev/null +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/AbstractThreatAdapter.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.opensoc.enrichment.adapters.threat; + +import java.io.Serializable; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.opensoc.enrichment.interfaces.EnrichmentAdapter; + +public abstract class AbstractThreatAdapter implements EnrichmentAdapter,Serializable{ + + + private static final long serialVersionUID = 1524030932856141771L; + protected static final Logger LOG = LoggerFactory + .getLogger(AbstractThreatAdapter.class); + + abstract public boolean initializeAdapter(); + +} diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/ThreatHbaseAdapter.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/ThreatHbaseAdapter.java new file mode 100644 index 0000000000..97d02d41b3 --- /dev/null +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/threat/ThreatHbaseAdapter.java @@ -0,0 +1,129 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.opensoc.enrichment.adapters.threat; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HConnection; +import org.apache.hadoop.hbase.client.HConnectionManager; +import org.apache.hadoop.hbase.client.HTableInterface; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.hadoop.hbase.KeyValue; +import org.apache.log4j.Logger; + +@SuppressWarnings("unchecked") +public class ThreatHbaseAdapter extends AbstractThreatAdapter { + + private static final long serialVersionUID = 1L; + private String _tableName; + private HTableInterface table; + private String _quorum; + private String _port; + + public ThreatHbaseAdapter(String quorum, String port, String tableName) { + _quorum = quorum; + _port = port; + _tableName = tableName; + } + + /** The LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(ThreatHbaseAdapter.class); + + public JSONObject enrich(String metadata) { + + JSONObject output = new JSONObject(); + LOGGER.debug("=======Looking Up For:" + metadata); + output.putAll(getThreatObject(metadata)); + + return output; + } + + @SuppressWarnings({ "rawtypes", "deprecation" }) + protected Map getThreatObject(String key) { + + LOGGER.debug("=======Pinging HBase For:" + key); + + Get get = new Get(Bytes.toBytes(key)); + Result rs; + Map output = new HashMap(); + + try { + rs = table.get(get); + + if (!rs.isEmpty()) { + byte[] source_family = Bytes.toBytes("source"); + JSONParser parser = new JSONParser(); + + Map sourceFamilyMap = rs.getFamilyMap(source_family); + + for (Map.Entry entry : sourceFamilyMap.entrySet()) { + String k = Bytes.toString(entry.getKey()); + LOGGER.debug("=======Found intel from source: " + k); + output.put(k,parser.parse(Bytes.toString(entry.getValue()))); + } + } + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (ParseException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + return output; + } + + @Override + public boolean initializeAdapter() { + + // Initialize HBase Table + Configuration conf = null; + conf = HBaseConfiguration.create(); + conf.set("hbase.zookeeper.quorum", _quorum); + conf.set("hbase.zookeeper.property.clientPort", _port); + + try { + LOGGER.debug("=======Connecting to HBASE==========="); + LOGGER.debug("=======ZOOKEEPER = " + + conf.get("hbase.zookeeper.quorum")); + HConnection connection = HConnectionManager.createConnection(conf); + table = connection.getTable(_tableName); + return true; + } catch (IOException e) { + // TODO Auto-generated catch block + LOGGER.debug("=======Unable to Connect to HBASE==========="); + e.printStackTrace(); + } + + return false; + } + + + +} diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapter.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapter.java index 838f8fe8a4..503618ab3b 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapter.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapter.java @@ -18,6 +18,7 @@ package com.opensoc.enrichment.adapters.whois; import java.io.IOException; +import java.util.Arrays; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; @@ -29,6 +30,9 @@ import org.apache.hadoop.hbase.client.Result; import org.json.simple.JSONObject; +import com.google.common.base.Joiner; +import com.opensoc.tldextractor.BasicTldExtractor; + public class WhoisHBaseAdapter extends AbstractWhoisAdapter { /** @@ -39,6 +43,7 @@ public class WhoisHBaseAdapter extends AbstractWhoisAdapter { private String _table_name; private String _quorum; private String _port; + private BasicTldExtractor tldex = new BasicTldExtractor(); public WhoisHBaseAdapter(String table_name, String quorum, String port) { _table_name = table_name; @@ -88,11 +93,13 @@ public boolean initializeAdapter() { } @SuppressWarnings({ "unchecked", "deprecation" }) - public JSONObject enrich(String metadata) { + public JSONObject enrich(String metadataIn) { + + String metadata = tldex.extract2LD(metadataIn); LOG.trace("[OpenSOC] Pinging HBase For:" + metadata); - + JSONObject output = new JSONObject(); JSONObject payload = new JSONObject(); @@ -108,12 +115,22 @@ public JSONObject enrich(String metadata) { output.put("whois", payload); } catch (IOException e) { - output.put(metadata, "{}"); + payload.put(metadata, "{}"); + output.put("whois", payload); e.printStackTrace(); } return output; } + +// private String format(String input) { +// String output = input; +// String[] tokens = input.split("\\."); +// if(tokens.length > 2) { +// output = Joiner.on(".").join(Arrays.copyOfRange(tokens, 1, tokens.length));; +// } +// return output; +// } } diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/AbstractEnrichmentBolt.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/AbstractEnrichmentBolt.java index f7aa0fa5e0..be1ef9631d 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/AbstractEnrichmentBolt.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/AbstractEnrichmentBolt.java @@ -51,8 +51,8 @@ public abstract class AbstractEnrichmentBolt extends BaseRichBolt { protected String _OutputFieldName; protected String _enrichment_tag; - protected Long _MAX_CACHE_SIZE; - protected Long _MAX_TIME_RETAIN; + protected Long _MAX_CACHE_SIZE_OBJECTS_NUM; + protected Long _MAX_TIME_RETAIN_MINUTES; // JSON Keys to be enriched protected List _jsonKeys; @@ -86,10 +86,10 @@ public final void prepare(Map conf, TopologyContext topologyContext, throw new IllegalStateException("OutputFieldName must be specified"); if (this._enrichment_tag == null) throw new IllegalStateException("enrichment_tag must be specified"); - if (this._MAX_CACHE_SIZE == null) - throw new IllegalStateException("MAX_CACHE_SIZE must be specified"); - if (this._MAX_TIME_RETAIN == null) - throw new IllegalStateException("MAX_TIME_RETAIN must be specified"); + if (this._MAX_CACHE_SIZE_OBJECTS_NUM == null) + throw new IllegalStateException("MAX_CACHE_SIZE_OBJECTS_NUM must be specified"); + if (this._MAX_TIME_RETAIN_MINUTES == null) + throw new IllegalStateException("MAX_TIME_RETAIN_MINUTES must be specified"); if (this._adapter == null) throw new IllegalStateException("Adapter must be specified"); if (this._jsonKeys == null) @@ -102,8 +102,8 @@ public JSONObject load(String key) throws Exception { } }; - cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE) - .expireAfterWrite(_MAX_TIME_RETAIN, TimeUnit.MINUTES) + cache = CacheBuilder.newBuilder().maximumSize(_MAX_CACHE_SIZE_OBJECTS_NUM) + .expireAfterWrite(_MAX_TIME_RETAIN_MINUTES, TimeUnit.MINUTES) .build(loader); boolean success = _adapter.initializeAdapter(); diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/GenericEnrichmentBolt.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/GenericEnrichmentBolt.java index 2735a51c5c..37c151f958 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/GenericEnrichmentBolt.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/java/com/opensoc/enrichment/common/GenericEnrichmentBolt.java @@ -34,9 +34,9 @@ import backtype.storm.tuple.Values; import com.opensoc.enrichment.interfaces.EnrichmentAdapter; +import com.opensoc.helpers.topology.ErrorGenerator; import com.opensoc.json.serialization.JSONEncoderHelper; import com.opensoc.metrics.MetricReporter; -import com.opensoc.topologyhelpers.ErrorGenerator; /** * Uses an adapter to enrich telemetry messages with additional metadata @@ -99,24 +99,24 @@ public GenericEnrichmentBolt withEnrichmentTag(String EnrichmentTag) { } /** - * @param MAX_CACHE_SIZE + * @param MAX_CACHE_SIZE_OBJECTS_NUM * Maximum size of cache before flushing * @return Instance of this class */ - public GenericEnrichmentBolt withMaxCacheSize(long MAX_CACHE_SIZE) { - _MAX_CACHE_SIZE = MAX_CACHE_SIZE; + public GenericEnrichmentBolt withMaxCacheSize(long MAX_CACHE_SIZE_OBJECTS_NUM) { + _MAX_CACHE_SIZE_OBJECTS_NUM = MAX_CACHE_SIZE_OBJECTS_NUM; return this; } /** - * @param MAX_TIME_RETAIN + * @param MAX_TIME_RETAIN_MINUTES * Maximum time to retain cached entry before expiring * @return Instance of this class */ - public GenericEnrichmentBolt withMaxTimeRetain(long MAX_TIME_RETAIN) { - _MAX_TIME_RETAIN = MAX_TIME_RETAIN; + public GenericEnrichmentBolt withMaxTimeRetain(long MAX_TIME_RETAIN_MINUTES) { + _MAX_TIME_RETAIN_MINUTES = MAX_TIME_RETAIN_MINUTES; return this; } @@ -186,6 +186,11 @@ public void execute(Tuple tuple) { + "not present in message " + message); continue; } + + // If the field is empty, no need to enrich + if ( jsonvalue.length() == 0) { + continue; + } JSONObject enrichment = cache.getUnchecked(jsonvalue); LOG.trace("[OpenSOC] Enriched: " + jsonkey + " -> " @@ -239,7 +244,7 @@ public void execute(Tuple tuple) { failCounter.inc(); } - JSONObject error = ErrorGenerator.generateErrorMessage("Enrichment problem: " + in_json, e.toString()); + JSONObject error = ErrorGenerator.generateErrorMessage("Enrichment problem: " + in_json, e); _collector.emit("error", new Values(error)); } diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/resources/hbase-site.xml b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/resources/hbase-site.xml index dc7cba5ab8..8d812a9358 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/resources/hbase-site.xml +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/main/resources/hbase-site.xml @@ -1,90 +1,131 @@ - - - - - hbase.regionserver.global.memstore.lowerLimit - 0.38 - - - zookeeper.session.timeout - 20 - - - - hbase.security.authorization - false - - - hbase.cluster.distributed - true - - - - hbase.hstore.flush.retries.number - 120 - - - hbase.hregion.memstore.block.multiplier - 4 - - - hbase.hstore.blockingStoreFiles - 200 - - - hbase.defaults.for.version.skip - true - - - hbase.regionserver.global.memstore.upperLimit - 0.4 - - - hbase.hregion.memstore.mslab.enabled - true - - - hbase.client.keyvalue.maxsize - 10485760 - - - hbase.superuser - hbase - - - hfile.block.cache.size - 0.40 - - - zookeeper.znode.parent - /hbase-unsecure - - - hbase.hregion.max.filesize - 10737418240 - - - hbase.zookeeper.property.clientPort - 2181 - - - hbase.security.authentication - simple - - - hbase.client.scanner.caching - 100 - - - hbase.hregion.memstore.flush.size - 134217728 - - - hbase.hregion.majorcompaction - 86400000 - - - hbase.client.write.buffer - 500000000 - - \ No newline at end of file + + + + hbase.tmp.dir + /disk/h/hbase + + + hbase.hregion.memstore.chunkpool.maxsize + 0.5 + + + hbase.regionserver.codecs + lzo,gz,snappy + + + hbase.hstore.flush.retries.number + 120 + + + hbase.client.keyvalue.maxsize + 10485760 + + + hbase.rootdir + hdfs://nn1:8020/apps/hbase/data + + + hbase.defaults.for.version.skip + true + + + hbase.client.scanner.caching + 100 + + + hbase.superuser + hbase + + + hfile.block.cache.size + 0.40 + + + hbase.regionserver.checksum.verify + true + + + hbase.hregion.memstore.mslab.enabled + true + + + hbase.hregion.max.filesize + 107374182400 + + + hbase.cluster.distributed + true + + + zookeeper.session.timeout + 30000 + + + zookeeper.znode.parent + /hbase-unsecure + + + hbase.regionserver.global.memstore.lowerLimit + 0.38 + + + hbase.regionserver.handler.count + 240 + + + hbase.hregion.memstore.mslab.chunksize + 8388608 + + + hbase.zookeeper.quorum + zkpr1,zkpr2,zkpr3 + + + hbase.zookeeper.useMulti + true + + + hbase.hregion.majorcompaction + 86400000 + + + hbase.hstore.blockingStoreFiles + 200 + + + hbase.zookeeper.property.clientPort + 2181 + + + hbase.hregion.memstore.flush.size + 134217728 + + + hbase.security.authorization + false + + + hbase.regionserver.global.memstore.upperLimit + 0.4 + + + hbase.hstore.compactionThreshold + 4 + + + hbase.hregion.memstore.block.multiplier + 8 + + + hbase.security.authentication + simple + + + dfs.client.read.shortcircuit + true + + + dfs.domain.socket.path + /var/run/hdfs/dn_socket + + \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/cif/CIFHbaseAdapterTest.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/cif/CIFHbaseAdapterTest.java index e7810d4d70..82390e93b2 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/cif/CIFHbaseAdapterTest.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/cif/CIFHbaseAdapterTest.java @@ -18,6 +18,7 @@ */ package com.opensoc.enrichment.adapters.cif; +import java.net.InetAddress; import java.util.Properties; import com.opensoc.test.AbstractTestContext; @@ -37,6 +38,7 @@ public class CIFHbaseAdapterTest extends AbstractTestContext { private static CIFHbaseAdapter cifHbaseAdapter=null; + /** * Constructs a new CIFHbaseAdapterTest instance. * @param name @@ -70,8 +72,33 @@ protected static void tearDownAfterClass() throws Exception { protected void setUp() throws Exception { super.setUp(); + Properties prop = super.getTestProperties(); assertNotNull(prop); + + if(skipTests(this.getMode())){ + return;//skip tests + } + + String[] zk = prop.get("kafka.zk.list").toString().split(","); + + for(String z : zk) + { + InetAddress address = InetAddress.getByName(z); + boolean reachable = address.isReachable(100); + + if(!reachable) + { + this.setMode("local"); + //throw new Exception("Unable to reach zookeeper, skipping CIF adapter test"); + break; + } + + } + + if(skipTests(this.getMode())) + return;//skip tests + System.out.println("kafka.zk.list ="+(String) prop.get("kafka.zk.list")); System.out.println("kafka.zk.list ="+(String) prop.get("kafka.zk.port")); System.out.println("kafka.zk.list ="+(String) prop.get("bolt.enrichment.cif.tablename")); diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapterTest.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapterTest.java index 173819b14a..ca545002fc 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapterTest.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/geo/GeoMysqlAdapterTest.java @@ -16,21 +16,22 @@ */ package com.opensoc.enrichment.adapters.geo; +import java.net.URL; import java.util.Properties; import org.json.simple.JSONObject; -import com.opensoc.test.AbstractTestContext; +import com.opensoc.test.AbstractSchemaTest; /** *
    - *
  • Title:
    • - *
  • Description:
    • + *
  • Title: GeoMySqlAdapterTest
    • + *
  • Description: Tests for GeoMySqlAdapter
    • *
  • Created: Aug 25, 2014
    • *
* @version $Revision: 1.1 $ */ -public class GeoMysqlAdapterTest extends AbstractTestContext { +public class GeoMysqlAdapterTest extends AbstractSchemaTest { private static GeoMysqlAdapter geoMySqlAdapter=null; private static boolean connected=false; @@ -72,9 +73,12 @@ protected void setUp() throws Exception { System.out.println(getClass().getName()+" Skipping Tests !!Local Mode"); return;//skip tests }else{ - geoMySqlAdapter=new GeoMysqlAdapter((String)prop.get("mysql.ip"), (new Integer((String)prop.get("mysql.port"))).intValue(),(String)prop.get("mysql.username"),(String)prop.get("mysql.password"), (String)prop.get("bolt.enrichment.geo.adapter.table")); - connected =geoMySqlAdapter.initializeAdapter(); - assertTrue(connected); + GeoMysqlAdapterTest.setGeoMySqlAdapter(new GeoMysqlAdapter((String)prop.get("mysql.ip"), (new Integer((String)prop.get("mysql.port"))).intValue(),(String)prop.get("mysql.username"),(String)prop.get("mysql.password"), (String)prop.get("bolt.enrichment.geo.adapter.table"))); + connected =geoMySqlAdapter.initializeAdapter(); + assertTrue(connected); + URL schema_url = getClass().getClassLoader().getResource( + "TestSchemas/GeoMySqlSchema.json"); + super.setSchemaJsonString(super.readSchemaFromFile(schema_url)); } } @@ -85,7 +89,7 @@ protected void setUp() throws Exception { protected void tearDown() throws Exception { super.tearDown(); - geoMySqlAdapter=null; + GeoMysqlAdapterTest.setGeoMySqlAdapter(null); } /** @@ -95,16 +99,24 @@ public void testEnrich() { if(skipTests(this.getMode())){ return;//skip tests }else{ - JSONObject json = geoMySqlAdapter.enrich("72.163.4.161"); - - //assert Geo Response is not null - assertNotNull(json); - - //assert LocId is not null - assertNotNull(json.get("locID")); + + try { + JSONObject json = geoMySqlAdapter.enrich("72.163.4.161"); + + //assert Geo Response is not null + System.out.println("json ="+json); + assertNotNull(json); - //assert right LocId is being returned - assertEquals("4522",json.get("locID")); + assertEquals(true, super.validateJsonData(super.getSchemaJsonString(), json.toString())); + //assert LocId is not null + assertNotNull(json.get("locID")); + + //assert right LocId is being returned + assertEquals("4522",json.get("locID")); + } catch (Exception e) { + e.printStackTrace(); + fail("Json validation Failed"); + } } } diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapterTest.java b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapterTest.java index 3d2e2193e8..3057c13a2c 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapterTest.java +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/java/com/opensoc/enrichment/adapters/whois/WhoisHBaseAdapterTest.java @@ -18,6 +18,7 @@ */ package com.opensoc.enrichment.adapters.whois; +import java.net.InetAddress; import java.util.Properties; import org.json.simple.JSONObject; @@ -68,13 +69,39 @@ protected void setUp() throws Exception { super.setUp(); Properties prop = super.getTestProperties(); assertNotNull(prop); + if(skipTests(this.getMode())){ return;//skip tests - }else{ + } + + String[] zk = prop.get("kafka.zk.list").toString().split(","); + + for(String z : zk) + { + InetAddress address = InetAddress.getByName(z); + boolean reachable = address.isReachable(100); + + if(!reachable) + { + this.setMode("local"); + break; + //throw new Exception("Unable to reach zookeeper, skipping WHois adapter test"); + } + + System.out.println("kafka.zk.list ="+(String) prop.get("kafka.zk.list")); + System.out.println("kafka.zk.list ="+(String) prop.get("kafka.zk.port")); + System.out.println("kafka.zk.list ="+(String) prop.get("bolt.enrichment.cif.tablename")); + + } + + if(skipTests(this.getMode())){ + System.out.println("Local Mode Skipping tests !! "); + }else{ whoisHbaseAdapter=new WhoisHBaseAdapter((String)prop.get("bolt.enrichment.whois.hbase.table.name"),(String)prop.get("kafka.zk.list"),(String)prop.get("kafka.zk.port")); connected =whoisHbaseAdapter.initializeAdapter(); assertTrue(connected); - } + } + } /* diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/CIFHbaseAdapterTest.properties b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/CIFHbaseAdapterTest.properties index 43ef4f6d25..8217353a69 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/CIFHbaseAdapterTest.properties +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/CIFHbaseAdapterTest.properties @@ -1,11 +1,11 @@ kafka.zk.port=2181 -kafka.zk.list=zkpr1,zkpr2,zkpr3 -kafka.zk=zkpr1:2181,zkpr2:2181,zkpr3:2181 +kafka.zk.list=zkpr1 +kafka.zk=zkpr1:2181 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table bolt.enrichment.cif.host=tld bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/GeoMysqlAdapterTest.properties b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/GeoMysqlAdapterTest.properties index fe95233456..3a4e17964a 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/GeoMysqlAdapterTest.properties +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/GeoMysqlAdapterTest.properties @@ -1,11 +1,11 @@ mysql.ip=172.30.9.120 -mysql.port=0 +mysql.port=3306 mysql.username=test mysql.password=123123 #GeoEnrichment - bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.source=ip_src_addr,ip_dst_addr diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/CIFHbaseSchema.json b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/CIFHbaseSchema.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/GeoMySqlSchema.json b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/GeoMySqlSchema.json new file mode 100644 index 0000000000..c4f2a82ed2 --- /dev/null +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/GeoMySqlSchema.json @@ -0,0 +1,42 @@ +{ +"title": "GeoMySql Schema", +"type": "object", +"properties": { + + "city" : { + "type": "string" + }, + "country" : { + "type": "string" + }, + "dmaCode" : + { + "type": "string" + }, + "geoHash" : + { + "type": "string" + }, + "latitude" : + { + "type": "string" + }, + "locID" : + { + "type": "string" + }, + "location_point" : + { + "type": "string" + }, + "longitude" : + { + "type": "string" + }, + "postalCode" : + { + "type": "string" + } + }, + "required": ["city", "country", "dmaCode","latitude","locID","location_point","postalCode"] +} diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/WhoisHbaseSchema.json b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/TestSchemas/WhoisHbaseSchema.json new file mode 100644 index 0000000000..e69de29bb2 diff --git a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/WhoisHbaseAdapterTest.properties b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/WhoisHbaseAdapterTest.properties index b80dfcd443..4f264ed3c5 100644 --- a/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/WhoisHbaseAdapterTest.properties +++ b/opensoc-streaming/OpenSOC-EnrichmentAdapters/src/test/resources/WhoisHbaseAdapterTest.properties @@ -1,11 +1,11 @@ kafka.zk.port=2181 -kafka.zk.list=zkpr1,zkpr2,zkpr3 -kafka.zk=zkpr1:2181,zkpr2:2181,zkpr3:2181 +kafka.zk.list=zkpr1 +kafka.zk=zkpr1:2181 #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 diff --git a/opensoc-streaming/OpenSOC-Indexing/pom.xml b/opensoc-streaming/OpenSOC-Indexing/pom.xml index 96e2bd0f5c..d55ab7f64e 100644 --- a/opensoc-streaming/OpenSOC-Indexing/pom.xml +++ b/opensoc-streaming/OpenSOC-Indexing/pom.xml @@ -15,11 +15,13 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-Indexing - 1.2.1 + UTF-8 + UTF-8 + 1.3.1 4.3.4 1.1.1 @@ -28,13 +30,19 @@ com.opensoc OpenSOC-Common - ${parent.version} + ${project.parent.version} org.apache.storm storm-core ${global_storm_version} provided + + + servlet-api + javax.servlet + + org.elasticsearch @@ -86,4 +94,4 @@ - \ No newline at end of file + diff --git a/opensoc-streaming/OpenSOC-Indexing/readme.md b/opensoc-streaming/OpenSOC-Indexing/readme.md new file mode 100644 index 0000000000..bd9d7ac522 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Indexing/readme.md @@ -0,0 +1,61 @@ +#OpenSOC-Indexing + +##Module Description + +This module provides the indexing capability to OpenSOC components. The primary indexing engine for now is Elastic Search, but Solr may be supported at some point in the future as well. There are three types of messages that are commonly indexed in OpenSOC topologies: messages, alerts, and errors. Messages are telemetry messages parsed by the parser bolt. Alerts are alerts generated by the alerts bolt. Errors are an optional feature where each OpenSOC bolt in addition to outputting errors in the log file will also index them for immediate analysis. + +###Index bolt + +The signature of the index bolt is as follows: + +``` +TelemetryIndexingBolt indexing_bolt = new TelemetryIndexingBolt() +.withIndexIP(config.getString("es.ip")) +.withIndexPort(config.getInt("es.port")) +.withClusterName(config.getString("es.clustername")) +.withIndexName( +config.getString("bolt.error.indexing.indexname")) +.withDocumentName( +config.getString("bolt.error.indexing.documentname")) +.withBulk(config.getInt("bolt.error.indexing.bulk")) +.withIndexAdapter(adapter) +.withMetricConfiguration(config); + +``` + +###IndexAdapters + +*com.opensoc.indexing.adapters.ESBaseBulkAdapter - bulk ingest messages into Elastic Search +*com.opensoc.indexing.adapters.ESBaseBulkRotatingAdapter - does everything adapter above does, but is able to rotate the index names based on size +*com.opensoc.indexing.adapters.ESTimedBulkRotatingAdapter - does everything adapter above does, but is able to rotate the index names based on size and time +*com.opensoc.indexing.adapters.SolrAdapter - currently under development + +/etc/ directory contains all environment-related configs + +##Sample Input and Generator Spout + +The sample input for topologies provided in this release was checked in here: + +``` +https://github.com/OpenSOC/opensoc-streaming/tree/master/OpenSOC-Topologies/src/main/resources/SampleInput +``` + +We provide a generator spout that is able to drive these topologies. In production we run with the kafka spout, but for documentation on that please reference the Storm project documentation + +The generator spout comes with the following signature: + +``` +GenericInternalTestSpout testSpout = new GenericInternalTestSpout() +.withFilename(test_file_path).withRepeating( +config.getBoolean("spout.test.parallelism.repeat")); +``` + +* the repeat variable defines if the generator spout will loop through the input or stop once it gets to the end of file + +###Additional Storm Bolts +In addition to custom bolts developed for OpenSOC we utilize standard bolts and spouts included with the Storm release. We will not provide documentation for these spouts and bolts since they are provided as part of Storm. These spouts bolts are: + +* KafkaSpout +* KafkaBolt +* HDFSBolt +* HBaseBolt \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/TelemetryIndexingBolt.java b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/TelemetryIndexingBolt.java index 965deb530a..2c4e0a92be 100644 --- a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/TelemetryIndexingBolt.java +++ b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/TelemetryIndexingBolt.java @@ -33,10 +33,10 @@ import backtype.storm.tuple.Tuple; import backtype.storm.tuple.Values; +import com.opensoc.helpers.topology.ErrorGenerator; import com.opensoc.index.interfaces.IndexAdapter; import com.opensoc.json.serialization.JSONEncoderHelper; import com.opensoc.metrics.MetricReporter; -import com.opensoc.topologyhelpers.ErrorGenerator; /** * @@ -59,6 +59,8 @@ public class TelemetryIndexingBolt extends AbstractIndexingBolt { private JSONObject metricConfiguration; + private String _indexDateFormat; + private Set tuple_queue = new HashSet(); /** @@ -140,7 +142,18 @@ public TelemetryIndexingBolt withIndexAdapter(IndexAdapter adapter) { return this; } + + /** + * + * @param dateFormat + * timestamp to append to index names + * @return instance of bolt + */ + public TelemetryIndexingBolt withIndexTimestamp(String indexTimestamp) { + _indexDateFormat = indexTimestamp; + return this; + } /** * * @param config @@ -161,7 +174,7 @@ void doPrepare(Map conf, TopologyContext topologyContext, try { _adapter.initializeConnection(_IndexIP, _IndexPort, - _ClusterName, _IndexName, _DocumentName, _BulkIndexNumber); + _ClusterName, _IndexName, _DocumentName, _BulkIndexNumber, _indexDateFormat); _reporter = new MetricReporter(); _reporter.initialize(metricConfiguration, @@ -170,10 +183,8 @@ void doPrepare(Map conf, TopologyContext topologyContext, } catch (Exception e) { e.printStackTrace(); - - String error_as_string = org.apache.commons.lang.exception.ExceptionUtils.getStackTrace(e); - - JSONObject error = ErrorGenerator.generateErrorMessage(new String("bulk index problem"), error_as_string); + + JSONObject error = ErrorGenerator.generateErrorMessage(new String("bulk index problem"), e); _collector.emit("error", new Values(error)); } @@ -222,9 +233,8 @@ public void execute(Tuple tuple) { _collector.fail(setElement); failCounter.inc(); - String error_as_string = org.apache.commons.lang.exception.ExceptionUtils.getStackTrace(e); - JSONObject error = ErrorGenerator.generateErrorMessage(new String("bulk index problem"), error_as_string); + JSONObject error = ErrorGenerator.generateErrorMessage(new String("bulk index problem"), e); _collector.emit("error", new Values(error)); } tuple_queue.clear(); diff --git a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/AbstractIndexAdapter.java b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/AbstractIndexAdapter.java index 3644c9eb27..6dafbe72b3 100644 --- a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/AbstractIndexAdapter.java +++ b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/AbstractIndexAdapter.java @@ -20,6 +20,6 @@ public abstract class AbstractIndexAdapter implements IndexAdapter, Serializable abstract public boolean initializeConnection(String ip, int port, String cluster_name, String index_name, String document_name, - int bulk) throws Exception; + int bulk, String date_format) throws Exception; } diff --git a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBaseBulkAdapter.java b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBaseBulkAdapter.java index 97af748fe0..e5ed283eac 100644 --- a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBaseBulkAdapter.java +++ b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBaseBulkAdapter.java @@ -1,12 +1,11 @@ package com.opensoc.indexing.adapters; import java.io.Serializable; -import java.util.HashSet; import java.util.Iterator; -import java.util.Set; +import java.util.Map; import org.apache.commons.collections.Bag; -import org.apache.commons.collections.HashBag; +import org.apache.commons.collections.bag.HashBag; import org.elasticsearch.action.bulk.BulkRequestBuilder; import org.elasticsearch.action.bulk.BulkResponse; import org.elasticsearch.action.index.IndexRequestBuilder; @@ -35,7 +34,7 @@ public class ESBaseBulkAdapter extends AbstractIndexAdapter implements @Override public boolean initializeConnection(String ip, int port, String cluster_name, String index_name, String document_name, - int bulk_size) throws Exception { + int bulk_size, String date_format) throws Exception { bulk_set = new HashBag(); @@ -141,4 +140,9 @@ public boolean doIndex() throws Exception { return false; } } + + public void setOptionalSettings(Map settings) { + // TODO Auto-generated method stub + + } } diff --git a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBulkRotatingAdapter.java b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBulkRotatingAdapter.java index 022bbde968..ebdc7b0c22 100644 --- a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBulkRotatingAdapter.java +++ b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESBulkRotatingAdapter.java @@ -3,6 +3,7 @@ import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.Map; import org.apache.http.HttpResponse; import org.apache.http.client.HttpClient; @@ -34,11 +35,11 @@ public class ESBulkRotatingAdapter extends AbstractIndexAdapter { private HttpClient httpclient; private HttpPost post; - private DateFormat dateFormat = new SimpleDateFormat("yyyy.MM.dd.HH"); + private DateFormat dateFormat; public boolean initializeConnection(String ip, int port, String cluster_name, String index_name, String document_name, - int bulk_size) { + int bulk_size, String date_format) { _LOG.info("Initializing ESBulkAdapter..."); @@ -51,9 +52,11 @@ public boolean initializeConnection(String ip, int port, _document_name = document_name; _bulk_size = bulk_size - 1; + + dateFormat = new SimpleDateFormat(date_format); + element_count = 0; - index_postfix = dateFormat.format(new Date()); running_index_postfix = "NONE"; Settings settings = ImmutableSettings.settingsBuilder() @@ -76,7 +79,7 @@ public int bulkIndex(JSONObject raw_message) { index_postfix = dateFormat.format(new Date()); - bulkRequest.add(client.prepareIndex(_index_name + "-" + index_postfix, + bulkRequest.add(client.prepareIndex(_index_name + "_" + index_postfix, _document_name).setSource(raw_message)); return doIndex(); @@ -86,7 +89,7 @@ public int bulkIndex(String raw_message) { index_postfix = dateFormat.format(new Date()); - bulkRequest.add(client.prepareIndex(_index_name + "-" + index_postfix, + bulkRequest.add(client.prepareIndex(_index_name + "_" + index_postfix, _document_name).setSource(raw_message)); return doIndex(); @@ -149,4 +152,9 @@ public int doIndex() { return 1; } + public void setOptionalSettings(Map settings) { + // TODO Auto-generated method stub + + } + } diff --git a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESTimedRotatingAdapter.java b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESTimedRotatingAdapter.java index e0a8b985dc..a94ef97108 100644 --- a/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESTimedRotatingAdapter.java +++ b/opensoc-streaming/OpenSOC-Indexing/src/main/java/com/opensoc/indexing/adapters/ESTimedRotatingAdapter.java @@ -5,6 +5,7 @@ import java.text.SimpleDateFormat; import java.util.Date; import java.util.Iterator; +import java.util.Map; import org.apache.commons.collections.Bag; import org.apache.commons.collections.HashBag; @@ -29,16 +30,23 @@ public class ESTimedRotatingAdapter extends AbstractIndexAdapter implements private int _port; private String _ip; public transient TransportClient client; - private DateFormat dateFormat = new SimpleDateFormat("yyyy.MM.dd.HH"); + private DateFormat dateFormat; + + private Map tuning_settings; private Bag bulk_set; private Settings settings; + + public void setOptionalSettings(Map settings) + { + tuning_settings = settings; + } @Override public boolean initializeConnection(String ip, int port, String cluster_name, String index_name, String document_name, - int bulk_size) throws Exception { + int bulk_size, String date_format) throws Exception { bulk_set = new HashBag(); @@ -51,11 +59,25 @@ public boolean initializeConnection(String ip, int port, _index_name = index_name; _document_name = document_name; _bulk_size = bulk_size; + + + dateFormat = new SimpleDateFormat(date_format); System.out.println("Bulk indexing is set to: " + _bulk_size); - settings = ImmutableSettings.settingsBuilder() - .put("cluster.name", _cluster_name).build(); + ImmutableSettings.Builder builder = ImmutableSettings.settingsBuilder() ; + + if(tuning_settings != null && tuning_settings.size() > 0) + { + builder.put(tuning_settings); + } + + builder.put("cluster.name", _cluster_name); + builder.put("client.transport.ping_timeout","500s"); + + + settings = builder.build(); + client = new TransportClient(settings) .addTransportAddress(new InetSocketTransportAddress(_ip, _port)); @@ -83,7 +105,7 @@ public int bulkIndex(JSONObject raw_message) { bulk_set.add(raw_message); set_size = bulk_set.size(); - System.out.println("Bulk size is now: " + bulk_set.size()); + _LOG.trace("[OpenSOC] Incremented bulk size to: " + bulk_set.size()); } try { @@ -122,7 +144,7 @@ public boolean doIndex() throws Exception { while (iterator.hasNext()) { JSONObject setElement = iterator.next(); - System.out.println("Flushing to index: " + _index_name+ "_" + index_postfix); + _LOG.trace("[OpenSOC] Flushing to index: " + _index_name+ "_" + index_postfix); IndexRequestBuilder a = client.prepareIndex(_index_name+ "_" + index_postfix, _document_name); @@ -131,22 +153,27 @@ public boolean doIndex() throws Exception { } - System.out.println("Performing bulk load of size: " + _LOG.trace("[OpenSOC] Performing bulk load of size: " + bulkRequest.numberOfActions()); BulkResponse resp = bulkRequest.execute().actionGet(); + for(BulkItemResponse r: resp.getItems()) + { + r.getResponse(); + _LOG.trace("[OpenSOC] ES SUCCESS MESSAGE: " + r.getFailureMessage()); + } - System.out.println("[OpenSOC] Received bulk response: " - + resp.buildFailureMessage()); bulk_set.clear(); if (resp.hasFailures()) { - + _LOG.error("[OpenSOC] Received bulk response error: " + + resp.buildFailureMessage()); + for(BulkItemResponse r: resp.getItems()) { r.getResponse(); - System.out.println("FAILURE MESSAGE: " + r.getFailureMessage()); + _LOG.error("[OpenSOC] ES FAILURE MESSAGE: " + r.getFailureMessage()); } } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/pom.xml b/opensoc-streaming/OpenSOC-MessageParsers/pom.xml index 5cfdfa7689..9a7d6510ba 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/pom.xml +++ b/opensoc-streaming/OpenSOC-MessageParsers/pom.xml @@ -15,14 +15,18 @@ com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA OpenSOC-MessageParsers + + UTF-8 + UTF-8 + com.opensoc OpenSOC-Common - ${parent.version} + ${project.parent.version} org.apache.storm @@ -40,11 +44,7 @@ guava ${global_guava_version} - - com.github.fge - json-schema-validator - ${global_json_schema_validator_version} - + io.thekraken grok @@ -74,14 +74,30 @@ 1.7 + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.1 + true + + 1.7 + 1.7 + + + src/main/resources + + src/main/resources/patterns + src/test/resources diff --git a/opensoc-streaming/OpenSOC-MessageParsers/readme.md b/opensoc-streaming/OpenSOC-MessageParsers/readme.md new file mode 100644 index 0000000000..128932a022 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/readme.md @@ -0,0 +1,82 @@ +#OpenSOC-Parsers + +##Module Description + +This module provides a list of parsers that can be used with the OpenSOC framework. There are two types of parsers. First type is a Java parser. This kind of parser is optimized for speed and performance and is built for use with higher velicity topologies. These parsers are not easily modifiable and in order to make changes to them the entire topology need to be recompiled. The second type of parser provided with the system is a Grok parser. This type of parser is primarily designed for lower-velocity topologies or for quickly standing up a parser for a new telemetry before a permanent Java parser can be written for it. + +##Message Format + +All opensoc messages follow a specific format in order to ingest a message. If a message does not conform to this format it will be dropped and put onto an error queue for further examination. The message must be of a JSON format and must have a JSON tag message like so: + +``` +{"message" : message content} + +``` + +Where appropriate there is also a standardization around the 5-tuple JSON fields. This is done so the topology correlation engine further down stream can correlate messages from different topologies by these fields. We are currently working on expanding the message standardization beyond these fields, but this feature is not yet availabe. The standard field names are as follows: + +* ip_src_addr: layer 3 source IP +* ip_dst_addr: layer 3 dest IP +* ip_src_port: layer 4 source port +* ip_dst_port: layer 4 dest port +* protocol: layer 4 protocol +* timestamp (epoch) +* original_string: A human friendly string representation of the message + +The timestamp and original_string fields are madatory. The remaining standard fields are optional. If any of the optional fields are not applicable then the field should be left out of the JSON. + +So putting it all together a typical OpenSOC message with all 5-tuple fields present would look like the following: + +```json +{ +"message": +{"ip_src_addr": xxxx, +"ip_dst_addr": xxxx, +"ip_src_port": xxxx, +"ip_dst_port": xxxx, +"protocol": xxxx, +"original_string": xxx, +"additional-field 1": xxx, +} + +} +``` + +##Parser Bolt + +The OpenSOC parser bolt is a standard bolt, which can be extended with multiple Java and Grok parser adapter for parsing different topology messages. The bolt signature for declaration in a storm topology is as follows: + +``` +AbstractParserBolt parser_bolt = new TelemetryParserBolt() +.withMessageParser(parser) +.withMessageFilter(new GenericMessageFilter()) +.withMetricConfig(config); + +``` + +Metric Config - optional argument for exporting custom metrics to graphite. If set to null no metrics will be exported. If set, then a list of metrics defined in the metrics.conf file of each topology will define will metrics are exported and how often. + +Message Filter - a filter defining which messages can be dropped. This feature is only present in the Java paerer adapters + +Message Parser - defines the parser adapter to be used for a topology + +##Parser Adapters + +Parser adapters are loaded dynamically in each OpenSOC topology. They are defined in topology.conf in the configuration item bolt.parser.adapter + +###Java Parser Adapters +Java parser adapters are indended for higher-velocity topologies and are not easily changed or extended. As the adoption of OpenSOC continues we plan on extending our library of Java adapters to process more log formats. As of this moment the Java adapters included with OpenSOC are: + +* com.opensoc.parsing.parsers.BasicIseParser : Parse ISE messages +* com.opensoc.parsing.parsers.BasicBroParser : Parse Bro messages +* com.opensoc.parsing.parsers.BasicSourcefireParser : Parse Sourcefire messages +* com.opensoc.parsing.parsers.BasicLancopeParser : Parse Lancope messages + +###Grok Parser Adapters +Grok parser adapters are designed primarly for someone who is not a Java coder for quickly standing up a parser adapter for lower velocity topologies. Grok relies on Regex for message parsing, which is much slower than purpose-built Java parsers, but is more extensible. Grok parsers are defined via a config file and the topplogy does not need to be recombiled in order to make changes to them. An example of a Grok perser is: + +* com.opensoc.parsing.parsers.GrokSourcefireParser + +For more information on the Grok project please refer to the following link: + +https://github.com/thekrakken/java-grok diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/AbstractParserBolt.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/AbstractParserBolt.java index ace7141655..7dc5d4f0a4 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/AbstractParserBolt.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/AbstractParserBolt.java @@ -18,9 +18,7 @@ package com.opensoc.parsing; import java.io.IOException; -import java.io.UnsupportedEncodingException; import java.util.Map; -import java.util.zip.Deflater; import org.json.simple.JSONObject; import org.slf4j.Logger; @@ -105,32 +103,15 @@ public final void prepare(Map conf, TopologyContext topologyContext, public boolean checkForSchemaCorrectness(JSONObject message) { int correct = 0; - if (message.containsKey("ip_src_addr")) { - correct++; - LOG.trace("[OpenSOC] Message contains ip_src_addr"); - } - if (message.containsKey("ip_dst_addr")) { - correct++; - LOG.trace("[OpenSOC] Message contains ip_dst_addr"); - } - if (message.containsKey("ip_src_port")) { - correct++; - LOG.trace("[OpenSOC] Message contains ip_src_port"); - } - if (message.containsKey("ip_dst_port")) { - correct++; - LOG.trace("[OpenSOC] Message contains ip_dst_port"); - } - if (message.containsKey("protocol")) { - correct++; - LOG.trace("[OpenSOC] Message contains protocol"); - } - - if (correct == 0) { - LOG.trace("[OpenSOC] Message conforms to schema: " + message); + + if (!(message.containsKey("original_string"))) { + LOG.trace("[OpenSOC] Message does not have original_string: " + message); + return false; + } else if (!(message.containsKey("timestamp"))) { + LOG.trace("[OpenSOC] Message does not have timestamp: " + message); return false; } else { - LOG.trace("[OpenSOC] Message does not conform to schema: " + LOG.trace("[OpenSOC] Message conforms to schema: " + message); return true; } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/PcapParserBolt.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/PcapParserBolt.java index bd3951b8d2..4fb648275b 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/PcapParserBolt.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/PcapParserBolt.java @@ -7,9 +7,9 @@ import org.json.simple.JSONObject; import org.json.simple.JSONValue; +import com.opensoc.helpers.topology.ErrorGenerator; import com.opensoc.parsing.parsers.PcapParser; import com.opensoc.pcap.PacketInfo; -import com.opensoc.topologyhelpers.ErrorGenerator; import backtype.storm.generated.Grouping; import backtype.storm.task.OutputCollector; @@ -49,11 +49,9 @@ public class PcapParserBolt implements IRichBolt { @SuppressWarnings("unused") private int numberOfCharsToUseForShuffleGrouping = 4; - /** The micro sec multiplier. */ - private long microSecMultiplier = 1L; + /** The divisor to convert nanos to expected time precision. */ + private long timePrecisionDivisor = 1L; - /** The sec multiplier. */ - private long secMultiplier = 1000000L; // HBaseStreamPartitioner hBaseStreamPartitioner = null ; @@ -64,6 +62,26 @@ public PcapParserBolt() { } + public PcapParserBolt withTsPrecision(String tsPrecision) { + if (tsPrecision.equalsIgnoreCase("MILLI")) { + //Convert nanos to millis + LOG.info("Configured for MILLI, setting timePrecisionDivisor to 1000000L" ); + timePrecisionDivisor = 1000000L; + } else if (tsPrecision.equalsIgnoreCase("MICRO")) { + //Convert nanos to micro + LOG.info("Configured for MICRO, setting timePrecisionDivisor to 1000L" ); + timePrecisionDivisor = 1000L; + } else if (tsPrecision.equalsIgnoreCase("NANO")) { + //Keep nano as is. + LOG.info("Configured for NANO, setting timePrecisionDivisor to 1L" ); + timePrecisionDivisor = 1L; + } else { + LOG.info("bolt.parser.ts.precision not set. Default to NANO"); + timePrecisionDivisor = 1L; + } + return this; + } + /* * (non-Javadoc) * @@ -116,19 +134,7 @@ public void prepare(Map stormConf, TopologyContext context, OutputCollector coll Grouping._Fields a; - if (conf.containsKey("bolt.parser.ts.precision")) { - String timePrecision = conf.get("bolt.parser.ts.precision").toString(); - if (timePrecision.equalsIgnoreCase("MILLI")) { - microSecMultiplier = 1L / 1000; - secMultiplier = 1000L; - } else if (timePrecision.equalsIgnoreCase("MICRO")) { - microSecMultiplier = 1L; - secMultiplier = 1000000L; - } else if (timePrecision.equalsIgnoreCase("NANO")) { - microSecMultiplier = 1000L; - secMultiplier = 1000000000L; - } - } + // hBaseStreamPartitioner = new HBaseStreamPartitioner( // conf.get("bolt.hbase.table.name").toString(), // 0, @@ -165,6 +171,7 @@ public void execute(Tuple input) { for (PacketInfo packetInfo : packetInfoList) { + String string_pcap = packetInfo.getJsonIndexDoc(); Object obj=JSONValue.parse(string_pcap); JSONObject header=(JSONObject)obj; @@ -172,40 +179,6 @@ public void execute(Tuple input) { JSONObject message = new JSONObject(); //message.put("key", packetInfo.getKey()); - if(header.containsKey("src_addr")) - { - String tmp = header.get("src_addr").toString(); - header.remove("src_addr"); - header.put("ip_src_addr", tmp); - } - - if(header.containsKey("dst_addr")) - { - String tmp = header.get("dst_addr").toString(); - header.remove("dst_addr"); - header.put("ip_dst_addr", tmp); - } - - if(header.containsKey("src_port")) - { - String tmp = header.get("src_port").toString(); - header.remove("src_port"); - header.put("ip_src_port", tmp); - } - - if(message.containsKey("dst_port")) - { - String tmp = header.get("dst_port").toString(); - header.remove("dst_port"); - header.put("ip_dst_port", tmp); - } - if(message.containsKey("ip_protocol")) - { - String tmp = header.get("ip_protocol").toString(); - header.remove("ip_protocol"); - header.put("protocol", tmp); - } - message.put("message", header); collector.emit("message", new Values(packetInfo.getKey(), message)); @@ -214,7 +187,7 @@ public void execute(Tuple input) { collector.emit("pcap_header_stream", new Values(packetInfo.getJsonDoc(), packetInfo.getKey())); collector.emit("pcap_data_stream", new Values(packetInfo.getKey(), - (packetInfo.getPacketHeader().getTsSec() * secMultiplier + packetInfo.getPacketHeader().getTsUsec() * microSecMultiplier), + packetInfo.getPacketTimeInNanos() / timePrecisionDivisor, input.getBinary(0))); // collector.emit(new Values(packetInfo.getJsonDoc(), packetInfo @@ -230,11 +203,9 @@ public void execute(Tuple input) { e.printStackTrace(); LOG.error("Exception while processing tuple", e); - String error_as_string = org.apache.commons.lang.exception.ExceptionUtils - .getStackTrace(e); JSONObject error = ErrorGenerator.generateErrorMessage( - "Alerts problem: " + input.getBinary(0), error_as_string); + "Alerts problem: " + input.getBinary(0), e); collector.emit("error", new Values(error)); return; diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/TelemetryParserBolt.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/TelemetryParserBolt.java index b324eb7b79..8a48764e16 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/TelemetryParserBolt.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/TelemetryParserBolt.java @@ -30,11 +30,11 @@ import backtype.storm.tuple.Tuple; import backtype.storm.tuple.Values; +import com.opensoc.helpers.topology.ErrorGenerator; import com.opensoc.json.serialization.JSONEncoderHelper; import com.opensoc.metrics.MetricReporter; import com.opensoc.parser.interfaces.MessageFilter; import com.opensoc.parser.interfaces.MessageParser; -import com.opensoc.topologyhelpers.ErrorGenerator; /** * Uses an adapter to parse a telemetry message from its native format into a @@ -125,6 +125,11 @@ void doPrepare(Map conf, TopologyContext topologyContext, LOG.info("[OpenSOC] Metric reporter is not initialized"); } this.registerCounters(); + + if(_parser != null) + _parser.init(); + + } @SuppressWarnings("unchecked") @@ -203,7 +208,7 @@ public void execute(Tuple tuple) { JSONObject error = ErrorGenerator.generateErrorMessage( "Parsing problem: " + new String(original_message), - e.toString()); + e); _collector.emit("error", new Values(error)); } } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/AbstractParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/AbstractParser.java index e5fa29e603..728e2757d7 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/AbstractParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/AbstractParser.java @@ -34,9 +34,15 @@ public abstract class AbstractParser implements MessageParser, Serializable { public void initializeParser() { _LOG.debug("Initializing adapter..."); + } - + + public void init() { + + } + + abstract public JSONObject parse(byte[] raw_message); } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicBroParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicBroParser.java index bdb4c52ee6..741fd75676 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicBroParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicBroParser.java @@ -17,22 +17,26 @@ package com.opensoc.parsing.parsers; +import org.json.simple.JSONArray; import org.json.simple.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.opensoc.tldextractor.BasicTldExtractor; + @SuppressWarnings("serial") public class BasicBroParser extends AbstractParser { protected static final Logger _LOG = LoggerFactory .getLogger(BasicBroParser.class); - JSONCleaner cleaner = new JSONCleaner(); + private JSONCleaner cleaner = new JSONCleaner(); + private BasicTldExtractor tldex = new BasicTldExtractor(); @SuppressWarnings("unchecked") public JSONObject parse(byte[] msg) { _LOG.trace("[OpenSOC] Starting to parse incoming message"); - + String raw_message = null; try { @@ -42,33 +46,62 @@ public JSONObject parse(byte[] msg) { JSONObject cleaned_message = cleaner.Clean(raw_message); _LOG.debug("[OpenSOC] Cleaned message: " + raw_message); - - if(cleaned_message == null || cleaned_message.isEmpty()) + + if (cleaned_message == null || cleaned_message.isEmpty()) throw new Exception("Unable to clean message: " + raw_message); String key = cleaned_message.keySet().iterator().next().toString(); - - if(key == null) - throw new Exception("Unable to retrieve key for message: " + raw_message); + + if (key == null) + throw new Exception("Unable to retrieve key for message: " + + raw_message); JSONObject payload = (JSONObject) cleaned_message.get(key); - - if(payload == null) - throw new Exception("Unable to retrieve payload for message: " + raw_message); + + String originalString = " |"; + for (Object k : payload.keySet()) { + originalString = originalString + " " + k.toString() + ":" + + payload.get(k).toString(); + } + originalString = key.toUpperCase() + originalString; + payload.put("original_string", originalString); + + if (payload == null) + throw new Exception("Unable to retrieve payload for message: " + + raw_message); + + if (payload.containsKey("ts")) { + String ts = payload.remove("ts").toString(); + payload.put("timestamp", ts); + _LOG.trace("[OpenSOC] Added ts to: " + payload); + } if (payload.containsKey("id.orig_h")) { String source_ip = payload.remove("id.orig_h").toString(); payload.put("ip_src_addr", source_ip); _LOG.trace("[OpenSOC] Added ip_src_addr to: " + payload); + } else if (payload.containsKey("tx_hosts")) { + JSONArray txHosts = (JSONArray) payload.remove("tx_hosts"); + if (txHosts != null && !txHosts.isEmpty()) { + payload.put("ip_src_addr", txHosts.get(0)); + _LOG.trace("[OpenSOC] Added ip_src_addr to: " + payload); + } } + if (payload.containsKey("id.resp_h")) { String source_ip = payload.remove("id.resp_h").toString(); payload.put("ip_dst_addr", source_ip); _LOG.trace("[OpenSOC] Added ip_dst_addr to: " + payload); + } else if (payload.containsKey("rx_hosts")) { + JSONArray rxHosts = (JSONArray) payload.remove("rx_hosts"); + if (rxHosts != null && !rxHosts.isEmpty()) { + payload.put("ip_dst_addr", rxHosts.get(0)); + _LOG.trace("[OpenSOC] Added ip_dst_addr to: " + payload); + } } + if (payload.containsKey("id.orig_p")) { - String source_port = payload.remove("id.orig_p") - .toString(); + String source_port = payload.remove("id.orig_p").toString(); payload.put("ip_src_port", source_port); _LOG.trace("[OpenSOC] Added ip_src_port to: " + payload); } @@ -77,38 +110,42 @@ public JSONObject parse(byte[] msg) { payload.put("ip_dst_port", dest_port); _LOG.trace("[OpenSOC] Added ip_dst_port to: " + payload); } - if (payload.containsKey("host")) { - - String host = payload.get("host").toString().trim(); - String[] parts = host.split("\\."); - int length = parts.length; - payload.put("tld", parts[length - 2] + "." - + parts[length - 1]); - _LOG.trace("[OpenSOC] Added tld to: " + payload); - } - if (payload.containsKey("query")) { - String host = payload.get("query").toString(); - String[] parts = host.split("\\."); - int length = parts.length; - payload.put("tld", parts[length - 2] + "." - + parts[length - 1]); - _LOG.trace("[OpenSOC] Added tld to: " + payload); - } + +// if (payload.containsKey("host")) { +// +// String host = payload.get("host").toString().trim(); +// String tld = tldex.extractTLD(host); +// +// payload.put("tld", tld); +// _LOG.trace("[OpenSOC] Added tld to: " + payload); +// +// } +// if (payload.containsKey("query")) { +// String host = payload.get("query").toString(); +// String[] parts = host.split("\\."); +// int length = parts.length; +// if (length >= 2) { +// payload.put("tld", parts[length - 2] + "." +// + parts[length - 1]); +// _LOG.trace("[OpenSOC] Added tld to: " + payload); +// } +// } _LOG.trace("[OpenSOC] Inner message: " + payload); payload.put("protocol", key); _LOG.debug("[OpenSOC] Returning parsed message: " + payload); - + return payload; - + } catch (Exception e) { _LOG.error("Unable to Parse Message: " + raw_message); e.printStackTrace(); return null; } - + } + } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicFireEyeParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicFireEyeParser.java new file mode 100644 index 0000000000..baa28570d7 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicFireEyeParser.java @@ -0,0 +1,234 @@ +package com.opensoc.parsing.parsers; + +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Arrays; +import java.util.Calendar; +import java.util.Date; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; +import java.util.TimeZone; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import org.apache.commons.lang3.StringUtils; +import org.json.simple.JSONObject; + +import com.google.common.base.Joiner; +import com.google.common.collect.ArrayListMultimap; +import com.google.common.collect.Multimap; + +import oi.thekraken.grok.api.Grok; +import oi.thekraken.grok.api.Match; +import oi.thekraken.grok.api.exception.GrokException; + +public class BasicFireEyeParser extends AbstractParser implements Serializable { + + private static final long serialVersionUID = 6328907550159134550L; + //String tsRegex = "(.*)([a-z][A-Z]+)\\s+(\\d+)\\s+(\\d+\\:\\d+\\:\\d+)\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)(.*)$"; + String tsRegex ="([a-zA-Z]{3})\\s+(\\d+)\\s+(\\d+\\:\\d+\\:\\d+)\\s+(\\d+\\.\\d+\\.\\d+\\.\\d+)"; + + + Pattern tsPattern = Pattern.compile(tsRegex); + // private transient static OpenSOCGrok grok; + // private transient static InputStream pattern_url; + + public BasicFireEyeParser() throws Exception { + // pattern_url = getClass().getClassLoader().getResourceAsStream( + // "patterns/fireeye"); + // + // File file = ParserUtils.stream2file(pattern_url); + // grok = OpenSOCGrok.create(file.getPath()); + // + // grok.compile("%{FIREEYE_BASE}"); + } + + @Override + public JSONObject parse(byte[] raw_message) { + String toParse = ""; + + try { + + toParse = new String(raw_message, "UTF-8"); + + // String[] mTokens = toParse.split(" "); + + String positveIntPattern = "<[1-9][0-9]*>"; + Pattern p = Pattern.compile(positveIntPattern); + Matcher m = p.matcher(toParse); + + String delimiter = ""; + + while (m.find()) { + delimiter = m.group(); + + } + + if (!StringUtils.isBlank(delimiter)) { + String[] tokens = toParse.split(delimiter); + + if (tokens.length > 1) + toParse = delimiter + tokens[1]; + + } + + JSONObject toReturn = parseMessage(toParse); + + toReturn.put("timestamp", getTimeStamp(toParse,delimiter)); + + return toReturn; + + } catch (Exception e) { + e.printStackTrace(); + return null; + } + + } + + public static Long convertToEpoch(String m, String d, String ts, + boolean adjust_timezone) throws ParseException { + d = d.trim(); + + if (d.length() <= 2) + d = "0" + d; + + Date date = new SimpleDateFormat("MMM", Locale.ENGLISH).parse(m); + Calendar cal = Calendar.getInstance(); + cal.setTime(date); + String month = String.valueOf(cal.get(Calendar.MONTH)); + int year = Calendar.getInstance().get(Calendar.YEAR); + + if (month.length() <= 2) + month = "0" + month; + + String coglomerated_ts = year + "-" + month + "-" + d + " " + ts; + + System.out.println(coglomerated_ts); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); + + if (adjust_timezone) + sdf.setTimeZone(TimeZone.getTimeZone("GMT")); + + date = sdf.parse(coglomerated_ts); + long timeInMillisSinceEpoch = date.getTime(); + + return timeInMillisSinceEpoch; + } + + private long getTimeStamp(String toParse,String delimiter) throws ParseException { + + long ts = 0; + String month = null; + String day = null; + String time = null; + Matcher tsMatcher = tsPattern.matcher(toParse); + if (tsMatcher.find()) { + month = tsMatcher.group(1); + day = tsMatcher.group(2); + time = tsMatcher.group(3); + + } else { + _LOG.warn("Unable to find timestamp in message: " + toParse); + ts = convertToEpoch(month, day, time, true); + } + + return ts; + + } + + private JSONObject parseMessage(String toParse) { + + // System.out.println("Received message: " + toParse); + + // OpenSOCMatch gm = grok.match(toParse); + // gm.captures(); + + JSONObject toReturn = new JSONObject(); + //toParse = toParse.replaceAll(" ", " "); + String[] mTokens = toParse.split("\\s+"); + //mTokens = toParse.split(" "); + + // toReturn.putAll(gm.toMap()); + + String id = mTokens[4]; + + // We are not parsing the fedata for multi part message as we cannot + // determine how we can split the message and how many multi part + // messages can there be. + // The message itself will be stored in the response. + + String[] tokens = id.split("\\."); + if (tokens.length == 2) { + + String[] array = Arrays.copyOfRange(mTokens, 1, mTokens.length - 1); + String syslog = Joiner.on(" ").join(array); + + Multimap multiMap = formatMain(syslog); + + for (String key : multiMap.keySet()) { + + String value = Joiner.on(",").join(multiMap.get(key)); + toReturn.put(key, value.trim()); + } + + } + + toReturn.put("original_string", toParse); + + String ip_src_addr = (String) toReturn.get("dvc"); + String ip_src_port = (String) toReturn.get("src_port"); + String ip_dst_addr = (String) toReturn.get("dst_ip"); + String ip_dst_port = (String) toReturn.get("dst_port"); + + if (ip_src_addr != null) + toReturn.put("ip_src_addr", ip_src_addr); + if (ip_src_port != null) + toReturn.put("ip_src_port", ip_src_port); + if (ip_dst_addr != null) + toReturn.put("ip_dst_addr", ip_dst_addr); + if (ip_dst_port != null) + toReturn.put("ip_dst_port", ip_dst_port); + + System.out.println(toReturn); + + return toReturn; + } + + private Multimap formatMain(String in) { + Multimap multiMap = ArrayListMultimap.create(); + String input = in.replaceAll("cn3", "dst_port") + .replaceAll("cs5", "cncHost").replaceAll("proto", "protocol") + .replaceAll("rt=", "timestamp=").replaceAll("cs1", "malware") + .replaceAll("dst=", "dst_ip=") + .replaceAll("shost", "src_hostname") + .replaceAll("dmac", "dst_mac").replaceAll("smac", "src_mac") + .replaceAll("spt", "src_port") + .replaceAll("\\bsrc\\b", "src_ip"); + String[] tokens = input.split("\\|"); + + if (tokens.length > 0) { + String message = tokens[tokens.length - 1]; + + String pattern = "([\\w\\d]+)=([^=]*)(?=\\s*\\w+=|\\s*$) "; + Pattern p = Pattern.compile(pattern); + Matcher m = p.matcher(message); + + while (m.find()) { + String[] str = m.group().split("="); + multiMap.put(str[0], str[1]); + + } + + } + return multiMap; + } + + + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicIseParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicIseParser.java index f7a4b71e91..699027312e 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicIseParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicIseParser.java @@ -79,4 +79,6 @@ public JSONObject parse(byte[] msg) { } return null; } + + } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLancopeParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLancopeParser.java index 23f6c62485..73682ea32a 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLancopeParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLancopeParser.java @@ -69,4 +69,6 @@ public JSONObject parse(byte[] msg) { return null; } } + + } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLogstashParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLogstashParser.java new file mode 100644 index 0000000000..10bfcd20ed --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicLogstashParser.java @@ -0,0 +1,65 @@ +package com.opensoc.parsing.parsers; + +import java.io.UnsupportedEncodingException; +import java.text.SimpleDateFormat; + +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; + +public class BasicLogstashParser extends AbstractParser { + + @Override + public JSONObject parse(byte[] raw_message) { + + try { + + /* + * We need to create a new JSONParser each time because its + * not serializable and the parser is created on the storm nimbus + * node, then transfered to the workers. + */ + JSONParser jsonParser = new JSONParser(); + String rawString = new String(raw_message, "UTF-8"); + JSONObject rawJson = (JSONObject) jsonParser.parse(rawString); + + // remove logstash meta fields + rawJson.remove("@version"); + rawJson.remove("type"); + rawJson.remove("host"); + rawJson.remove("tags"); + + // rename other keys + rawJson = mutate(rawJson, "message", "original_string"); + rawJson = mutate(rawJson, "src_ip", "ip_src_addr"); + rawJson = mutate(rawJson, "dst_ip", "ip_dst_addr"); + rawJson = mutate(rawJson, "src_port", "ip_src_port"); + rawJson = mutate(rawJson, "dst_port", "ip_dst_port"); + rawJson = mutate(rawJson, "src_ip", "ip_src_addr"); + + // convert timestamp to milli since epoch + rawJson.put("timestamp", LogstashToEpoch((String) rawJson.remove("@timestamp"))); + + return rawJson; + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + private JSONObject mutate(JSONObject json, String oldKey, String newKey) { + if (json.containsKey(oldKey)) { + json.put(newKey, json.remove(oldKey)); + } + return json; + } + + private long LogstashToEpoch(String timestamp) throws java.text.ParseException { + SimpleDateFormat logstashDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"); + return logstashDateFormat.parse(timestamp).getTime(); + + } + + + +} diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicPaloAltoFirewallParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicPaloAltoFirewallParser.java new file mode 100644 index 0000000000..315ca3deea --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicPaloAltoFirewallParser.java @@ -0,0 +1,184 @@ +package com.opensoc.parsing.parsers; + + +import org.json.simple.JSONObject; + +import java.net.MalformedURLException; +import java.net.URL; + +import com.opensoc.parser.interfaces.MessageParser; + +public class BasicPaloAltoFirewallParser extends AbstractParser implements MessageParser{ + + private static final long serialVersionUID = 3147090149725343999L; + public static final String PaloAltoDomain = "palo_alto_domain"; + public static final String ReceiveTime = "receive_time"; + public static final String SerialNum = "serial_num"; + public static final String Type = "type"; + public static final String ThreatContentType = "threat_content_type"; + public static final String ConfigVersion = "config_version"; + public static final String GenerateTime = "generate_time"; + public static final String SourceAddress = "source_address"; + public static final String DestinationAddress = "destination_address"; + public static final String NATSourceIP = "nat_source_ip"; + public static final String NATDestinationIP = "nat_destination_ip"; + public static final String Rule = "rule"; + public static final String SourceUser = "source_user"; + public static final String DestinationUser = "destination_user"; + public static final String Application = "application"; + public static final String VirtualSystem = "virtual_system"; + public static final String SourceZone = "source_zone"; + public static final String DestinationZone = "destination_zone"; + public static final String InboundInterface = "inbound_interface"; + public static final String OutboundInterface = "outbound_interface"; + public static final String LogAction = "log_action"; + public static final String TimeLogged = "time_logged"; + public static final String SessionID = "session_id"; + public static final String RepeatCount = "repeat_count"; + public static final String SourcePort = "source_port"; + public static final String DestinationPort = "destination_port"; + public static final String NATSourcePort = "nats_source_port"; + public static final String NATDestinationPort = "nats_destination_port"; + public static final String Flags = "flags"; + public static final String IPProtocol = "ip_protocol"; + public static final String Action = "action"; + + //Threat + public static final String URL = "url"; + public static final String HOST = "host"; + public static final String ThreatContentName = "threat_content_name"; + public static final String Category = "category"; + public static final String Direction = "direction"; + public static final String Seqno = "seqno"; + public static final String ActionFlags = "action_flags"; + public static final String SourceCountry = "source_country"; + public static final String DestinationCountry = "destination_country"; + public static final String Cpadding = "cpadding"; + public static final String ContentType = "content_type"; + + //Traffic + public static final String Bytes = "content_type"; + public static final String BytesSent = "content_type"; + public static final String BytesReceived = "content_type"; + public static final String Packets = "content_type"; + public static final String StartTime = "content_type"; + public static final String ElapsedTimeInSec = "content_type"; + public static final String Padding = "content_type"; + public static final String PktsSent = "pkts_sent"; + public static final String PktsReceived = "pkts_received"; + + + @SuppressWarnings({ "unchecked", "unused" }) + public JSONObject parse(byte[] msg) { + + JSONObject outputMessage = new JSONObject(); + String toParse = ""; + + try { + + toParse = new String(msg, "UTF-8"); + _LOG.debug("Received message: " + toParse); + + + parseMessage(toParse,outputMessage); + + outputMessage.put("timestamp", System.currentTimeMillis()); + outputMessage.put("ip_src_addr", outputMessage.remove("source_address")); + outputMessage.put("ip_src_port", outputMessage.remove("source_port")); + outputMessage.put("ip_dst_addr", outputMessage.remove("destination_address")); + outputMessage.put("ip_dst_port", outputMessage.remove("destination_port")); + outputMessage.put("protocol", outputMessage.remove("ip_protocol")); + + outputMessage.put("original_string", toParse); + return outputMessage; + } catch (Exception e) { + e.printStackTrace(); + _LOG.error("Failed to parse: " + toParse); + return null; + } + } + + @SuppressWarnings("unchecked") + private void parseMessage(String message,JSONObject outputMessage) { + + String[] tokens = message.split(","); + + String type = tokens[3].trim(); + + //populate common objects + outputMessage.put(PaloAltoDomain, tokens[0].trim()); + outputMessage.put(ReceiveTime, tokens[1].trim()); + outputMessage.put(SerialNum, tokens[2].trim()); + outputMessage.put(Type, type); + outputMessage.put(ThreatContentType, tokens[4].trim()); + outputMessage.put(ConfigVersion, tokens[5].trim()); + outputMessage.put(GenerateTime, tokens[6].trim()); + outputMessage.put(SourceAddress, tokens[7].trim()); + outputMessage.put(DestinationAddress, tokens[8].trim()); + outputMessage.put(NATSourceIP, tokens[9].trim()); + outputMessage.put(NATDestinationIP, tokens[10].trim()); + outputMessage.put(Rule, tokens[11].trim()); + outputMessage.put(SourceUser, tokens[12].trim()); + outputMessage.put(DestinationUser, tokens[13].trim()); + outputMessage.put(Application, tokens[14].trim()); + outputMessage.put(VirtualSystem, tokens[15].trim()); + outputMessage.put(SourceZone, tokens[16].trim()); + outputMessage.put(DestinationZone, tokens[17].trim()); + outputMessage.put(InboundInterface, tokens[18].trim()); + outputMessage.put(OutboundInterface, tokens[19].trim()); + outputMessage.put(LogAction, tokens[20].trim()); + outputMessage.put(TimeLogged, tokens[21].trim()); + outputMessage.put(SessionID, tokens[22].trim()); + outputMessage.put(RepeatCount, tokens[23].trim()); + outputMessage.put(SourcePort, tokens[24].trim()); + outputMessage.put(DestinationPort, tokens[25].trim()); + outputMessage.put(NATSourcePort, tokens[26].trim()); + outputMessage.put(NATDestinationPort, tokens[27].trim()); + outputMessage.put(Flags, tokens[28].trim()); + outputMessage.put(IPProtocol, tokens[29].trim()); + outputMessage.put(Action, tokens[30].trim()); + + + if("THREAT".equals(type.toUpperCase())) { + outputMessage.put(URL, tokens[31].trim()); + try { + URL url = new URL(tokens[31].trim()); + outputMessage.put(HOST, url.getHost()); + } catch (MalformedURLException e) { + } + outputMessage.put(ThreatContentName, tokens[32].trim()); + outputMessage.put(Category, tokens[33].trim()); + outputMessage.put(Direction, tokens[34].trim()); + outputMessage.put(Seqno, tokens[35].trim()); + outputMessage.put(ActionFlags, tokens[36].trim()); + outputMessage.put(SourceCountry, tokens[37].trim()); + outputMessage.put(DestinationCountry, tokens[38].trim()); + outputMessage.put(Cpadding, tokens[39].trim()); + outputMessage.put(ContentType, tokens[40].trim()); + + } + else + { + outputMessage.put(Bytes, tokens[31].trim()); + outputMessage.put(BytesSent, tokens[32].trim()); + outputMessage.put(BytesReceived, tokens[33].trim()); + outputMessage.put(Packets, tokens[34].trim()); + outputMessage.put(StartTime, tokens[35].trim()); + outputMessage.put(ElapsedTimeInSec, tokens[36].trim()); + outputMessage.put(Category, tokens[37].trim()); + outputMessage.put(Padding, tokens[38].trim()); + outputMessage.put(Seqno, tokens[39].trim()); + outputMessage.put(ActionFlags, tokens[40].trim()); + outputMessage.put(SourceCountry, tokens[41].trim()); + outputMessage.put(DestinationCountry, tokens[42].trim()); + outputMessage.put(Cpadding, tokens[43].trim()); + outputMessage.put(PktsSent, tokens[44].trim()); + outputMessage.put(PktsReceived, tokens[45].trim()); + } + + } + + + + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicSourcefireParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicSourcefireParser.java index b8eaf210f3..be6d8ff1b1 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicSourcefireParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/BasicSourcefireParser.java @@ -17,15 +17,21 @@ package com.opensoc.parsing.parsers; +import java.util.regex.Matcher; import java.util.regex.Pattern; import org.json.simple.JSONObject; +import com.opensoc.parser.interfaces.MessageParser; + @SuppressWarnings("serial") -public class BasicSourcefireParser extends AbstractParser { +public class BasicSourcefireParser extends AbstractParser implements MessageParser{ public static final String hostkey = "host"; String domain_name_regex = "([^\\.]+)\\.([a-z]{2}|[a-z]{3}|([a-z]{2}\\.[a-z]{2}))$"; + String sidRegex = "(.*)(\\[[0-9]+:[0-9]+:[0-9]\\])(.*)$"; + //String sidRegex = "(\\[[0-9]+:[0-9]+:[0-9]\\])(.*)$"; + Pattern sidPattern = Pattern.compile(sidRegex); Pattern pattern = Pattern.compile(domain_name_regex); @SuppressWarnings({ "unchecked", "unused" }) @@ -76,8 +82,19 @@ public JSONObject parse(byte[] msg) { } payload.put("timestamp", System.currentTimeMillis()); - payload.put("original_string", - toParse.substring(0, toParse.indexOf("{"))); + + Matcher sidMatcher = sidPattern.matcher(toParse); + String originalString = null; + String signatureId = ""; + if (sidMatcher.find()) { + signatureId = sidMatcher.group(2); + originalString = sidMatcher.group(1) +" "+ sidMatcher.group(2) + " " + sidMatcher.group(3); + } else { + _LOG.warn("Unable to find SID in message: " + toParse); + originalString = toParse; + } + payload.put("original_string", originalString); + payload.put("signature_id", signatureId); return payload; } catch (Exception e) { @@ -87,5 +104,7 @@ public JSONObject parse(byte[] msg) { } } + + } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokAsaParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokAsaParser.java new file mode 100644 index 0000000000..ff7531331a --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokAsaParser.java @@ -0,0 +1,269 @@ +package com.opensoc.parsing.parsers; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.text.ParseException; +import java.text.SimpleDateFormat; +import java.util.Calendar; +import java.util.Date; +import java.util.HashMap; +import java.util.Locale; +import java.util.Map; +import java.util.TimeZone; + +import oi.thekraken.grok.api.Grok; +import oi.thekraken.grok.api.Match; +import oi.thekraken.grok.api.exception.GrokException; + +import org.apache.commons.io.IOUtils; +import org.json.simple.JSONObject; + +public class GrokAsaParser extends AbstractParser implements Serializable { + + private static final long serialVersionUID = 945353287115350798L; + private transient Grok grok; + Map patternMap; + private transient Map grokMap; + private transient InputStream pattern_url; + + public static final String PREFIX = "stream2file"; + public static final String SUFFIX = ".tmp"; + + public static File stream2file(InputStream in) throws IOException { + final File tempFile = File.createTempFile(PREFIX, SUFFIX); + tempFile.deleteOnExit(); + try (FileOutputStream out = new FileOutputStream(tempFile)) { + IOUtils.copy(in, out); + } + return tempFile; + } + + public GrokAsaParser() throws Exception { + // pattern_url = Resources.getResource("patterns/asa"); + + pattern_url = getClass().getClassLoader().getResourceAsStream( + "patterns/asa"); + + File file = stream2file(pattern_url); + grok = Grok.create(file.getPath()); + + patternMap = getPatternMap(); + grokMap = getGrokMap(); + + grok.compile("%{CISCO_TAGGED_SYSLOG}"); + } + + public GrokAsaParser(String filepath) throws Exception { + + grok = Grok.create(filepath); + // grok.getNamedRegexCollection().put("ciscotag","CISCOFW302013_302014_302015_302016"); + grok.compile("%{CISCO_TAGGED_SYSLOG}"); + + } + + public GrokAsaParser(String filepath, String pattern) throws Exception { + + grok = Grok.create(filepath); + grok.compile("%{" + pattern + "}"); + } + + private Map getMap(String pattern, String text) + throws GrokException { + + Grok g = grokMap.get(pattern); + if (g != null) { + Match gm = g.match(text); + gm.captures(); + return gm.toMap(); + } else { + return new HashMap(); + } + + } + + private Map getGrokMap() throws GrokException, IOException { + Map map = new HashMap(); + + for (Map.Entry entry : patternMap.entrySet()) { + File file = stream2file(pattern_url); + Grok grok = Grok.create(file.getPath()); + grok.compile("%{" + entry.getValue() + "}"); + + map.put(entry.getValue(), grok); + + } + + return map; + } + + private Map getPatternMap() { + Map map = new HashMap(); + + map.put("ASA-2-106001", "CISCOFW106001"); + map.put("ASA-2-106006", "CISCOFW106006_106007_106010"); + map.put("ASA-2-106007", "CISCOFW106006_106007_106010"); + map.put("ASA-2-106010", "CISCOFW106006_106007_106010"); + map.put("ASA-3-106014", "CISCOFW106014"); + map.put("ASA-6-106015", "CISCOFW106015"); + map.put("ASA-1-106021", "CISCOFW106021"); + map.put("ASA-4-106023", "CISCOFW106023"); + map.put("ASA-5-106100", "CISCOFW106100"); + map.put("ASA-6-110002", "CISCOFW110002"); + map.put("ASA-6-302010", "CISCOFW302010"); + map.put("ASA-6-302013", "CISCOFW302013_302014_302015_302016"); + map.put("ASA-6-302014", "CISCOFW302013_302014_302015_302016"); + map.put("ASA-6-302015", "CISCOFW302013_302014_302015_302016"); + map.put("ASA-6-302016", "CISCOFW302013_302014_302015_302016"); + map.put("ASA-6-302020", "CISCOFW302020_302021"); + map.put("ASA-6-302021", "CISCOFW302020_302021"); + map.put("ASA-6-305011", "CISCOFW305011"); + map.put("ASA-3-313001", "CISCOFW313001_313004_313008"); + map.put("ASA-3-313004", "CISCOFW313001_313004_313008"); + map.put("ASA-3-313008", "CISCOFW313001_313004_313008"); + map.put("ASA-4-313005", "CISCOFW313005"); + map.put("ASA-4-402117", "CISCOFW402117"); + map.put("ASA-4-402119", "CISCOFW402119"); + map.put("ASA-4-419001", "CISCOFW419001"); + map.put("ASA-4-419002", "CISCOFW419002"); + map.put("ASA-4-500004", "CISCOFW500004"); + map.put("ASA-6-602303", "CISCOFW602303_602304"); + map.put("ASA-6-602304", "CISCOFW602303_602304"); + map.put("ASA-7-710001", "CISCOFW710001_710002_710003_710005_710006"); + map.put("ASA-7-710002", "CISCOFW710001_710002_710003_710005_710006"); + map.put("ASA-7-710003", "CISCOFW710001_710002_710003_710005_710006"); + map.put("ASA-7-710005", "CISCOFW710001_710002_710003_710005_710006"); + map.put("ASA-7-710006", "CISCOFW710001_710002_710003_710005_710006"); + map.put("ASA-6-713172", "CISCOFW713172"); + map.put("ASA-4-733100", "CISCOFW733100"); + map.put("ASA-6-305012", "CISCOFW305012"); + map.put("ASA-7-609001", "CISCOFW609001"); + map.put("ASA-7-609002", "CISCOFW609002"); + + return map; + } + + public static Long convertToEpoch(String m, String d, String ts, + boolean adjust_timezone) throws ParseException { + d = d.trim(); + + if (d.length() <= 2) + d = "0" + d; + + Date date = new SimpleDateFormat("MMM", Locale.ENGLISH).parse(m); + Calendar cal = Calendar.getInstance(); + cal.setTime(date); + String month = String.valueOf(cal.get(Calendar.MONTH)); + int year = Calendar.getInstance().get(Calendar.YEAR); + + if (month.length() <= 2) + month = "0" + month; + + String coglomerated_ts = year + "-" + month + "-" + d + " " + ts; + + System.out.println(coglomerated_ts); + + SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); + + if (adjust_timezone) + sdf.setTimeZone(TimeZone.getTimeZone("GMT")); + + date = sdf.parse(coglomerated_ts); + long timeInMillisSinceEpoch = date.getTime(); + + return timeInMillisSinceEpoch; + } + + @Override + public void init() { + // pattern_url = Resources.getResource("patterns/asa"); + + pattern_url = getClass().getClassLoader().getResourceAsStream( + "patterns/asa"); + + File file = null; + try { + file = stream2file(pattern_url); + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + try { + grok = Grok.create(file.getPath()); + } catch (GrokException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + patternMap = getPatternMap(); + try { + grokMap = getGrokMap(); + } catch (GrokException | IOException e1) { + // TODO Auto-generated catch block + e1.printStackTrace(); + } + + try { + grok.compile("%{CISCO_TAGGED_SYSLOG}"); + } catch (GrokException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + + @Override + public JSONObject parse(byte[] raw_message) { + + String toParse = ""; + JSONObject toReturn; + + try { + + toParse = new String(raw_message, "UTF-8"); + + System.out.println("Received message: " + toParse); + + Match gm = grok.match(toParse); + gm.captures(); + + toReturn = new JSONObject(); + + toReturn.putAll(gm.toMap()); + + String str = toReturn.get("ciscotag").toString(); + String pattern = patternMap.get(str); + + Map response = getMap(pattern, toParse); + + toReturn.putAll(response); + + //System.out.println("*******I MAPPED: " + toReturn); + + toReturn.put("timestamp", convertToEpoch(toReturn.get("MONTH").toString(), toReturn + .get("MONTHDAY").toString(), + toReturn.get("TIME").toString(), + true)); + + toReturn.remove("MONTHDAY"); + toReturn.remove("TIME"); + toReturn.remove("MINUTE"); + toReturn.remove("HOUR"); + toReturn.remove("YEAR"); + toReturn.remove("SECOND"); + + toReturn.put("ip_src_addr", toReturn.remove("IPORHOST")); + toReturn.put("original_string", toParse); + + return toReturn; + + } catch (Exception e) { + e.printStackTrace(); + return null; + } + + } + + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokSourcefireParser.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokSourcefireParser.java index c75bfd595a..a5eabcd057 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokSourcefireParser.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokSourcefireParser.java @@ -71,4 +71,6 @@ public JSONObject parse(byte[] raw_message) { } + + } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokUtils.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokUtils.java new file mode 100644 index 0000000000..de2ba54504 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/GrokUtils.java @@ -0,0 +1,26 @@ +package com.opensoc.parsing.parsers; +import java.io.Serializable; + +import com.google.code.regexp.Pattern; + +public class GrokUtils implements Serializable { + + private static final long serialVersionUID = 7465176887422419286L; + /** + * Extract Grok patter like %{FOO} to FOO, Also Grok pattern with semantic. + */ + public static final Pattern GROK_PATTERN = Pattern.compile( + "%\\{" + + "(?" + + "(?[A-z0-9]+)" + + "(?::(?[A-z0-9_:;\\/\\s\\.]+))?" + + ")" + + "(?:=(?" + + "(?:" + + "(?:[^{}]+|\\.+)+" + + ")+" + + ")" + + ")?" + + "\\}"); + + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCConverter.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCConverter.java new file mode 100644 index 0000000000..5d495a60ee --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCConverter.java @@ -0,0 +1,183 @@ +package com.opensoc.parsing.parsers; + +import java.io.Serializable; +import java.text.DateFormat; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; + +public class OpenSOCConverter implements Serializable { + + private static final long serialVersionUID = 4319897815285922962L; + public static Map> _converters = new HashMap>(); + + static { + _converters.put("byte", new ByteConverter()); + _converters.put("boolean", new BooleanConverter()); + _converters.put("short", new ShortConverter()); + _converters.put("int", new IntegerConverter()); + _converters.put("long", new LongConverter()); + _converters.put("float", new FloatConverter()); + _converters.put("double", new DoubleConverter()); + _converters.put("date", new DateConverter()); + _converters.put("datetime", new DateConverter()); + _converters.put("string", new StringConverter()); + + } + + private static IConverter getConverter(String key) throws Exception { + IConverter converter = _converters.get(key); + if (converter == null) { + throw new Exception("Invalid data type :" + key); + } + return converter; + } + + public static KeyValue convert(String key, Object value) { + String[] spec = key.split(";"); + try { + if (spec.length == 1) { + return new KeyValue(spec[0], value); + } else if (spec.length == 2) { + return new KeyValue(spec[0], getConverter(spec[1]).convert(String.valueOf(value))); + } else if (spec.length == 3) { + return new KeyValue(spec[0], getConverter(spec[1]).convert(String.valueOf(value), spec[2])); + } else { + return new KeyValue(spec[0], value, "Unsupported spec :" + key); + } + } catch (Exception e) { + return new KeyValue(spec[0], value, e.toString()); + } + } +} + + +// +// KeyValue +// + +class KeyValue { + + private String key = null; + private Object value = null; + private String grokFailure = null; + + public KeyValue(String key, Object value) { + this.key = key; + this.value = value; + } + + public KeyValue(String key, Object value, String grokFailure) { + this.key = key; + this.value = value; + this.grokFailure = grokFailure; + } + + public boolean hasGrokFailure() { + return grokFailure != null; + } + + public String getGrokFailure() { + return this.grokFailure; + } + + public String getKey() { + return key; + } + + public void setKey(String key) { + this.key = key; + } + + public Object getValue() { + return value; + } + + public void setValue(Object value) { + this.value = value; + } +} + + +// +// Converters +// +abstract class IConverter { + + public T convert(String value, String informat) throws Exception { + return null; + } + + public abstract T convert(String value) throws Exception; +} + +class ByteConverter extends IConverter { + @Override + public Byte convert(String value) throws Exception { + return Byte.parseByte(value); + } +} + +class BooleanConverter extends IConverter { + @Override + public Boolean convert(String value) throws Exception { + return Boolean.parseBoolean(value); + } +} + +class ShortConverter extends IConverter { + @Override + public Short convert(String value) throws Exception { + return Short.parseShort(value); + } +} + +class IntegerConverter extends IConverter { + @Override + public Integer convert(String value) throws Exception { + return Integer.parseInt(value); + } +} + +class LongConverter extends IConverter { + @Override + public Long convert(String value) throws Exception { + return Long.parseLong(value); + } +} + +class FloatConverter extends IConverter { + @Override + public Float convert(String value) throws Exception { + return Float.parseFloat(value); + } +} + +class DoubleConverter extends IConverter { + @Override + public Double convert(String value) throws Exception { + return Double.parseDouble(value); + } +} + +class StringConverter extends IConverter { + @Override + public String convert(String value) throws Exception { + return value; + } +} + +class DateConverter extends IConverter { + @Override + public Date convert(String value) throws Exception { + return DateFormat.getInstance().parse(value); + } + + @Override + public Date convert(String value, String informat) throws Exception { + SimpleDateFormat formatter = new SimpleDateFormat(informat); + return formatter.parse(value); + } + +} diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGarbage.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGarbage.java new file mode 100644 index 0000000000..1f7f3c84ee --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGarbage.java @@ -0,0 +1,130 @@ +package com.opensoc.parsing.parsers; + +import java.io.Serializable; +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.TreeMap; + +public class OpenSOCGarbage implements Serializable { + + private static final long serialVersionUID = -7158895945268018603L; + private List toRemove; + private Map toRename; + + /** + * Create a new {@code Garbage} object. + */ + public OpenSOCGarbage() { + + toRemove = new ArrayList(); + toRename = new TreeMap(); + /** this is a default value to remove */ + toRemove.add("UNWANTED"); + } + + /** + * Set a new name to be change when exporting the final output. + * + * @param origin : original field name + * @param value : New field name to apply + */ + public void addToRename(String origin, Object value) { + if (origin == null || value == null) { + return; + } + + if (!origin.isEmpty() && !value.toString().isEmpty()) { + toRename.put(origin, value); + } + } + + /** + * Set a field to be remove when exporting the final output. + * + * @param name of the field to remove + */ + public void addToRemove(String name) { + if (name == null) { + return; + } + + if (!name.isEmpty()) { + toRemove.add(name); + } + } + + /** + * Set a list of field name to be remove when exporting the final output. + * + * @param lst + */ + public void addToRemove(List lst) { + if (lst == null) { + return; + } + + if (!lst.isEmpty()) { + toRemove.addAll(lst); + } + } + + /** + * Remove from the map the unwilling items. + * + * @param map to clean + * @return nb of deleted item + */ + public int remove(Map map) { + int item = 0; + + if (map == null) { + return item; + } + + if (map.isEmpty()) { + return item; + } + + for (Iterator> it = map.entrySet().iterator(); it.hasNext();) { + Map.Entry entry = it.next(); + for (int i = 0; i < toRemove.size(); i++) { + if (entry.getKey().equals(toRemove.get(i))) { + it.remove(); + item++; + } + } + } + return item; + } + + /** + * Rename the item from the map. + * + * @param map + * @return nb of renamed items + */ + public int rename(Map map) { + int item = 0; + + if (map == null) { + return item; + } + + if (map.isEmpty() || toRename.isEmpty()) { + return item; + } + + for (Iterator> it = toRename.entrySet().iterator(); it.hasNext();) { + Map.Entry entry = it.next(); + if (map.containsKey(entry.getKey())) { + Object obj = map.remove(entry.getKey()); + map.put(entry.getValue().toString(), obj); + item++; + } + } + return item; + } + + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGrok.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGrok.java new file mode 100644 index 0000000000..0cf998e09f --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCGrok.java @@ -0,0 +1,367 @@ +package com.opensoc.parsing.parsers; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.io.Reader; +import java.io.Serializable; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.TreeMap; + +import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.google.code.regexp.Matcher; +import com.google.code.regexp.Pattern; + +public class OpenSOCGrok implements Serializable { + + private static final long serialVersionUID = 2002441320075020721L; + private static final Logger LOG = LoggerFactory.getLogger(OpenSOCGrok.class); + /** + * Named regex of the originalGrokPattern. + */ + private String namedRegex; + /** + * Map of the named regex of the originalGrokPattern + * with id = namedregexid and value = namedregex. + */ + private Map namedRegexCollection; + /** + * Original {@code Grok} pattern (expl: %{IP}). + */ + private String originalGrokPattern; + /** + * Pattern of the namedRegex. + */ + private Pattern compiledNamedRegex; + /** + * {@code Grok} discovery. + */ + private Map grokPatternDefinition; + + /** only use in grok discovery. */ + private String savedPattern; + + /** + * Create Empty {@code Grok}. + */ + public static final OpenSOCGrok EMPTY = new OpenSOCGrok(); + + /** + * Create a new empty{@code Grok} object. + */ + public OpenSOCGrok() { + originalGrokPattern = StringUtils.EMPTY; + namedRegex = StringUtils.EMPTY; + compiledNamedRegex = null; + grokPatternDefinition = new TreeMap(); + namedRegexCollection = new TreeMap(); + savedPattern = StringUtils.EMPTY; + } + + public String getSaved_pattern() { + return savedPattern; + } + + public void setSaved_pattern(String savedpattern) { + this.savedPattern = savedpattern; + } + + /** + * Create a {@code Grok} instance with the given patterns file and + * a {@code Grok} pattern. + * + * @param grokPatternPath Path to the pattern file + * @param grokExpression - OPTIONAL - Grok pattern to compile ex: %{APACHELOG} + * @return {@code Grok} instance + * @throws Exception + */ + public static OpenSOCGrok create(String grokPatternPath, String grokExpression) + throws Exception { + if (StringUtils.isBlank(grokPatternPath)) { + throw new Exception("{grokPatternPath} should not be empty or null"); + } + OpenSOCGrok g = new OpenSOCGrok(); + g.addPatternFromFile(grokPatternPath); + if (StringUtils.isNotBlank(grokExpression)) { + g.compile(grokExpression); + } + return g; + } + + /** + * Create a {@code Grok} instance with the given grok patterns file. + * + * @param grokPatternPath : Path to the pattern file + * @return Grok + * @throws Exception + */ + public static OpenSOCGrok create(String grokPatternPath) throws Exception { + return create(grokPatternPath, null); + } + + /** + * Add custom pattern to grok in the runtime. + * + * @param name : Pattern Name + * @param pattern : Regular expression Or {@code Grok} pattern + * @throws Exception + **/ + public void addPattern(String name, String pattern) throws Exception { + if (StringUtils.isBlank(name)) { + throw new Exception("Invalid Pattern name"); + } + if (StringUtils.isBlank(name)) { + throw new Exception("Invalid Pattern"); + } + grokPatternDefinition.put(name, pattern); + } + + /** + * Copy the given Map of patterns (pattern name, regular expression) to {@code Grok}, + * duplicate element will be override. + * + * @param cpy : Map to copy + * @throws Exception + **/ + public void copyPatterns(Map cpy) throws Exception { + if (cpy == null) { + throw new Exception("Invalid Patterns"); + } + + if (cpy.isEmpty()) { + throw new Exception("Invalid Patterns"); + } + for (Map.Entry entry : cpy.entrySet()) { + grokPatternDefinition.put(entry.getKey().toString(), entry.getValue().toString()); + } + } + + /** + * Get the current map of {@code Grok} pattern. + * + * @return Patterns (name, regular expression) + */ + public Map getPatterns() { + return grokPatternDefinition; + } + + /** + * Get the named regex from the {@code Grok} pattern.

+ * See {@link #compile(String)} for more detail. + * @return named regex + */ + public String getNamedRegex() { + return namedRegex; + } + + /** + * Add patterns to {@code Grok} from the given file. + * + * @param file : Path of the grok pattern + * @throws Exception + */ + public void addPatternFromFile(String file) throws Exception { + + File f = new File(file); + if (!f.exists()) { + throw new Exception("Pattern not found"); + } + + if (!f.canRead()) { + throw new Exception("Pattern cannot be read"); + } + + FileReader r = null; + try { + r = new FileReader(f); + addPatternFromReader(r); + } catch (FileNotFoundException e) { + throw new Exception(e.getMessage()); + } catch (@SuppressWarnings("hiding") IOException e) { + throw new Exception(e.getMessage()); + } finally { + try { + if (r != null) { + r.close(); + } + } catch (IOException io) { + // TODO(anthony) : log the error + } + } + } + + /** + * Add patterns to {@code Grok} from a Reader. + * + * @param r : Reader with {@code Grok} patterns + * @throws Exception + */ + public void addPatternFromReader(Reader r) throws Exception { + BufferedReader br = new BufferedReader(r); + String line; + // We dont want \n and commented line + Pattern pattern = Pattern.compile("^([A-z0-9_]+)\\s+(.*)$"); + try { + while ((line = br.readLine()) != null) { + Matcher m = pattern.matcher(line); + if (m.matches()) { + this.addPattern(m.group(1), m.group(2)); + } + } + br.close(); + } catch (IOException e) { + throw new Exception(e.getMessage()); + } catch (Exception e) { + throw new Exception(e.getMessage()); + } + + } + + /** + * Match the given log with the named regex. + * And return the json representation of the matched element + * + * @param log : log to match + * @return json representation og the log + */ + public String capture(String log){ + OpenSOCMatch match = match(log); + match.captures(); + return match.toJson(); + } + + /** + * Match the given list of log with the named regex + * and return the list of json representation of the matched elements. + * + * @param logs : list of log + * @return list of json representation of the log + */ + public List captures(List logs){ + List matched = new ArrayList(); + for (String log : logs) { + OpenSOCMatch match = match(log); + match.captures(); + matched.add(match.toJson()); + } + return matched; + } + + /** + * Match the given text with the named regex + * {@code Grok} will extract data from the string and get an extence of {@link Match}. + * + * @param text : Single line of log + * @return Grok Match + */ + public OpenSOCMatch match(String text) { + if (compiledNamedRegex == null || StringUtils.isBlank(text)) { + return OpenSOCMatch.EMPTY; + } + + Matcher m = compiledNamedRegex.matcher(text); + OpenSOCMatch match = new OpenSOCMatch(); + if (m.find()) { + match.setSubject(text); + match.setGrok(this); + match.setMatch(m); + match.setStart(m.start(0)); + match.setEnd(m.end(0)); + } + return match; + } + + /** + * Compile the {@code Grok} pattern to named regex pattern. + * + * @param pattern : Grok pattern (ex: %{IP}) + * @throws Exception + */ + public void compile(String pattern) throws Exception { + + if (StringUtils.isBlank(pattern)) { + throw new Exception("{pattern} should not be empty or null"); + } + + namedRegex = pattern; + originalGrokPattern = pattern; + int index = 0; + /** flag for infinite recurtion */ + int iterationLeft = 1000; + Boolean continueIteration = true; + + // Replace %{foo} with the regex (mostly groupname regex) + // and then compile the regex + while (continueIteration) { + continueIteration = false; + if (iterationLeft <= 0) { + throw new Exception("Deep recursion pattern compilation of " + originalGrokPattern); + } + iterationLeft--; + + Matcher m = GrokUtils.GROK_PATTERN.matcher(namedRegex); + // Match %{Foo:bar} -> pattern name and subname + // Match %{Foo=regex} -> add new regex definition + if (m.find()) { + continueIteration = true; + Map group = m.namedGroups(); + if (group.get("definition") != null) { + try { + addPattern(group.get("pattern"), group.get("definition")); + group.put("name", group.get("name") + "=" + group.get("definition")); + } catch (Exception e) { + // Log the exeception + } + } + namedRegexCollection.put("name" + index, + (group.get("subname") != null ? group.get("subname") : group.get("name"))); + namedRegex = + StringUtils.replace(namedRegex, "%{" + group.get("name") + "}", "(?" + + grokPatternDefinition.get(group.get("pattern")) + ")"); + // System.out.println(_expanded_pattern); + index++; + } + } + + if (namedRegex.isEmpty()) { + throw new Exception("Pattern not fount"); + } + // Compile the regex + compiledNamedRegex = Pattern.compile(namedRegex); + } + + /** + * Original grok pattern used to compile to the named regex. + * + * @return String Original Grok pattern + */ + public String getOriginalGrokPattern(){ + return originalGrokPattern; + } + + /** + * Get the named regex from the given id. + * + * @param id : named regex id + * @return String of the named regex + */ + public String getNamedRegexCollectionById(String id) { + return namedRegexCollection.get(id); + } + + /** + * Get the full collection of the named regex. + * + * @return named RegexCollection + */ + public Map getNamedRegexCollection() { + return namedRegexCollection; + } + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCMatch.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCMatch.java new file mode 100644 index 0000000000..bd4f0ad6ad --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/OpenSOCMatch.java @@ -0,0 +1,280 @@ +package com.opensoc.parsing.parsers; + +import java.io.Serializable; +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; +import java.util.TreeMap; + +import com.google.code.regexp.Matcher; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; + +public class OpenSOCMatch implements Serializable { + + private static final long serialVersionUID = -1129245286587945311L; + private String subject; // texte + private Map capture; + private OpenSOCGarbage garbage; + private OpenSOCGrok grok; + private Matcher match; + private int start; + private int end; + + /** + * For thread safety + */ + private static ThreadLocal matchHolder = new ThreadLocal() { + @Override + protected OpenSOCMatch initialValue() { + return new OpenSOCMatch(); + } + }; + + /** + *Create a new {@code Match} object. + */ + public OpenSOCMatch() { + subject = "Nothing"; + grok = null; + match = null; + capture = new TreeMap(); + garbage = new OpenSOCGarbage(); + start = 0; + end = 0; + } + + /** + * Create Empty grok matcher + */ + public static final OpenSOCMatch EMPTY = new OpenSOCMatch(); + + public void setGrok(OpenSOCGrok grok){ + if (grok != null) { + this.grok = grok; + } + } + + public Matcher getMatch() { + return match; + } + + public void setMatch(Matcher match) { + this.match = match; + } + + public int getStart() { + return start; + } + + public void setStart(int start) { + this.start = start; + } + + public int getEnd() { + return end; + } + + public void setEnd(int end) { + this.end = end; + } + + /** + * Singleton. + * + * @return instance of Match + */ + public static OpenSOCMatch getInstance() { + return matchHolder.get(); + } + + /** + * Set the single line of log to parse. + * + * @param text : single line of log + */ + public void setSubject(String text) { + if (text == null) { + return; + } + if (text.isEmpty()) { + return; + } + subject = text; + } + + /** + * Retrurn the single line of log. + * + * @return the single line of log + */ + public String getSubject() { + return subject; + } + + /** + * Match to the subject the regex and save the matched element into a map. + * + */ + public void captures() { + if (match == null) { + return; + } + capture.clear(); + + // _capture.put("LINE", this.line); + // _capture.put("LENGTH", this.line.length() +""); + + Map mappedw = this.match.namedGroups(); + Iterator> it = mappedw.entrySet().iterator(); + while (it.hasNext()) { + + @SuppressWarnings("rawtypes") + Map.Entry pairs = (Map.Entry) it.next(); + String key = null; + Object value = null; + if (this.grok.getNamedRegexCollectionById(pairs.getKey().toString()) == null) { + key = pairs.getKey().toString(); + } else if (!this.grok.getNamedRegexCollectionById(pairs.getKey().toString()).isEmpty()) { + key = this.grok.getNamedRegexCollectionById(pairs.getKey().toString()); + } + if (pairs.getValue() != null) { + value = pairs.getValue().toString(); + + KeyValue keyValue = OpenSOCConverter.convert(key, value); + + //get validated key + key = keyValue.getKey(); + + //resolve value + if (keyValue.getValue() instanceof String) { + value = cleanString((String)keyValue.getValue()); + } else { + value = keyValue.getValue(); + } + + //set if grok failure + if (keyValue.hasGrokFailure()) { + capture.put(key + "_grokfailure", keyValue.getGrokFailure()); + } + } + + capture.put(key, value); + it.remove(); // avoids a ConcurrentModificationException + } + } + + + /** + * remove from the string the quote and double quote. + * + * @param string to pure: "my/text" + * @return unquoted string: my/text + */ + private String cleanString(String value) { + if (value == null) { + return value; + } + if (value.isEmpty()) { + return value; + } + char[] tmp = value.toCharArray(); + if ((tmp[0] == '"' && tmp[value.length() - 1] == '"') + || (tmp[0] == '\'' && tmp[value.length() - 1] == '\'')) { + value = value.substring(1, value.length() - 1); + } + return value; + } + + + /** + * Get the json representation of the matched element. + *

+ * example: + * map [ {IP: 127.0.0.1}, {status:200}] + * will return + * {"IP":"127.0.0.1", "status":200} + *

+ * If pretty is set to true, json will return prettyprint json string. + * + * @return Json of the matched element in the text + */ + public String toJson(Boolean pretty) { + if (capture == null) { + return "{}"; + } + if (capture.isEmpty()) { + return "{}"; + } + + this.cleanMap(); + Gson gs; + if (pretty) { + gs = new GsonBuilder().setPrettyPrinting().create(); + } else { + gs = new Gson(); + } + return gs.toJson(/* cleanMap( */capture/* ) */); + } + + /** + * Get the json representation of the matched element. + *

+ * example: + * map [ {IP: 127.0.0.1}, {status:200}] + * will return + * {"IP":"127.0.0.1", "status":200} + *

+ * + * @return Json of the matched element in the text + */ + public String toJson() { + return toJson(false); + } + + /** + * Get the map representation of the matched element in the text. + * + * @return map object from the matched element in the text + */ + public Map toMap() { + this.cleanMap(); + return capture; + } + + /** + * Remove and rename the unwanted elelents in the matched map. + */ + private void cleanMap() { + garbage.rename(capture); + garbage.remove(capture); + } + + /** + * Util fct. + * + * @return boolean + */ + public Boolean isNull() { + if (this.match == null) { + return true; + } + return false; + } + + /** + * Util fct. + * + * @param s + * @return boolean + */ + private boolean isInteger(String s) { + try { + Integer.parseInt(s); + } catch (NumberFormatException e) { + return false; + } + return true; + } + + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/ParserUtils.java b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/ParserUtils.java new file mode 100644 index 0000000000..b986cae8a7 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/java/com/opensoc/parsing/parsers/ParserUtils.java @@ -0,0 +1,23 @@ +package com.opensoc.parsing.parsers; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; + +import org.apache.commons.io.IOUtils; + +public class ParserUtils { + + public static final String PREFIX = "stream2file"; + public static final String SUFFIX = ".tmp"; + + public static File stream2file(InputStream in) throws IOException { + final File tempFile = File.createTempFile(PREFIX, SUFFIX); + tempFile.deleteOnExit(); + try (FileOutputStream out = new FileOutputStream(tempFile)) { + IOUtils.copy(in, out); + } + return tempFile; + } +} diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/asa b/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/asa new file mode 100644 index 0000000000..8c2da93e6b --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/asa @@ -0,0 +1,176 @@ +# Forked from https://github.com/elasticsearch/logstash/tree/v1.4.0/patterns + +USERNAME [a-zA-Z0-9._-]+ +USER %{USERNAME:UNWANTED} +INT (?:[+-]?(?:[0-9]+)) +BASE10NUM (?[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))) +NUMBER (?:%{BASE10NUM:UNWANTED}) +BASE16NUM (?(?"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``)) +UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12} + +# Networking +MAC (?:%{CISCOMAC:UNWANTED}|%{WINDOWSMAC:UNWANTED}|%{COMMONMAC:UNWANTED}) +CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4}) +WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2}) +COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2}) +IPV6 ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)? +IPV4 (?/(?>[\w_%!$@:.,~-]+|\\.)*)+ +#UNIXPATH (?[A-Za-z]+:|\\)(?:\\[^\\?*]*)+ +URIPROTO [A-Za-z]+(\+[A-Za-z+]+)? +URIHOST %{IPORHOST}(?::%{POSINT:port})? +# uripath comes loosely from RFC1738, but mostly from what Firefox +# doesn't turn into %XX +URIPATH (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+ +#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)? +URIPARAM \?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]* +URIPATHPARAM %{URIPATH}(?:%{URIPARAM})? +URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})? + +# Months: January, Feb, 3, 03, 12, December +MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b +MONTHNUM (?:0?[1-9]|1[0-2]) +MONTHNUM2 (?:0[1-9]|1[0-2]) +MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) + +# Days: Monday, Tue, Thu, etc... +DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?) + +# Years? +YEAR (?>\d\d){1,2} +# Time: HH:MM:SS +#TIME \d{2}:\d{2}(?::\d{2}(?:\.\d+)?)? +# I'm still on the fence about using grok to perform the time match, +# since it's probably slower. +# TIME %{POSINT<24}:%{POSINT<60}(?::%{POSINT<60}(?:\.%{POSINT})?)? +HOUR (?:2[0123]|[01]?[0-9]) +MINUTE (?:[0-5][0-9]) +# '60' is a leap second in most time standards and thus is valid. +SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?) +TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9]) +# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it) +DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR} +DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR} +ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE})) +ISO8601_SECOND (?:%{SECOND}|60) +TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? +DATE %{DATE_US}|%{DATE_EU} +DATESTAMP %{DATE}[- ]%{TIME} +TZ (?:[PMCE][SD]T|UTC) +DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ} +DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE} +DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR} +DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND} +GREEDYDATA .* + +# Syslog Dates: Month Day HH:MM:SS +SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME} +PROG (?:[\w._/%-]+) +SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])? +SYSLOGHOST %{IPORHOST} +SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}> +HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT} + +# Shortcuts +QS %{QUOTEDSTRING:UNWANTED} + +# Log formats +SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: + +MESSAGESLOG %{SYSLOGBASE} %{DATA} + +COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) +COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent} + +# Log Levels +LOGLEVEL ([A|a]lert|ALERT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?) + +#== Cisco ASA == +CISCO_TAGGED_SYSLOG ^<%{POSINT:syslog_pri}>%{CISCOTIMESTAMP:timestamp}( %{SYSLOGHOST:sysloghost})? ?:? %%{CISCOTAG:ciscotag}: +CISCOTIMESTAMP %{MONTH} +%{MONTHDAY}(?: %{YEAR})? %{TIME} +CISCOTAG [A-Z0-9]+-%{INT}-(?:[A-Z0-9_]+) + +# Common Particles +CISCO_ACTION Built|Teardown|Deny|Denied|denied|requested|permitted|denied by ACL|discarded|est-allowed|Dropping|created|deleted +CISCO_REASON Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:%{WORD}\s*)* +CISCO_DIRECTION Inbound|inbound|Outbound|outbound +CISCO_INTERVAL first hit|%{INT}-second interval +CISCO_XLATE_TYPE static|dynamic +# ASA-2-106001 +CISCOFW106001 : %{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface} +# ASA-2-106006, ASA-2-106007, ASA-2-106010 +CISCOFW106006_106007_106010 : %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason}) +# ASA-3-106014 +CISCOFW106014 : %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\) +# ASA-6-106015 +CISCOFW106015 : %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags} on interface %{GREEDYDATA:interface} +# ASA-1-106021 +CISCOFW106021 : %{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface} +# ASA-4-106023 +CISCOFW106023 : %{CISCO_ACTION:action} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group %{DATA:policy_id} \[%{DATA:hashcode1}, %{DATA:hashcode2}\] +# ASA-5-106100 +CISCOFW106100 : access-list %{WORD:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\] +# ASA-6-110002 +CISCOFW110002 : %{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} +# ASA-6-302010 +CISCOFW302010 : %{INT:connection_count} in use, %{INT:connection_count_max} most used +# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016 +CISCOFW302013_302014_302015_302016 : %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DATA:user}\))? +# ASA-6-302020, ASA-6-302021 +CISCOFW302020_302021 : %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuser}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))? +# ASA-6-305011 +CISCOFW305011 : %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port} +# ASA-3-313001, ASA-3-313004, ASA-3-313008 +CISCOFW313001_313004_313008 : %{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})? +# ASA-4-313005 +CISCOFW313005 : %{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\. Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))? +# ASA-4-402117 +CISCOFW402117 : %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip} +# ASA-4-402119 +CISCOFW402119 : %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking +# ASA-4-419001 +CISCOFW419001 : %{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason} +# ASA-4-419002 +CISCOFW419002 : %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number +# ASA-4-500004 +CISCOFW500004 : %{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} +# ASA-6-602303, ASA-6-602304 +CISCOFW602303_602304 : %{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ACTION:action} +# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006 +CISCOFW710001_710002_710003_710005_710006 : %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} +# ASA-6-713172 +CISCOFW713172 : Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device +# ASA-4-733100 +CISCOFW733100 : \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count} + + +# ASA-6-305012 +CISCOFW305012 : %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port} duration %{TIME:duration} +# ASA-7-609001 +CISCOFW609001 : %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? +# ASA-7-609002 +CISCOFW609002 : %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? duration %{TIME:duration} + + +#== End Cisco ASA == \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/fireeye b/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/fireeye new file mode 100644 index 0000000000..5dc99bfa4f --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/fireeye @@ -0,0 +1,9 @@ +GREEDYDATA .* +POSINT \b(?:[1-9][0-9]*)\b +UID [0-9.]+ +DATA .*? + +FIREEYE_BASE ^<%{POSINT:syslog_pri}>fenotify-%{UID:uid}.alert: %{GREEDYDATA:syslog} +FIREEYE_MAIN <%{POSINT:syslog_pri}>fenotify-%{DATA:uid}.alert: %{DATA:meta}\|%{DATA:meta}\|%{DATA:meta}\|%{DATA:meta}\|%{DATA:meta}\|%{DATA:meta}\|%{DATA:meta}\|%{GREEDYDATA:fedata} +#\|(.?)\|(.?)\|(.?)\|(.?)\|%{DATA:type}\|(.?)\|%{GREEDYDATA:fedata} +FIREEYE_SUB ^<%{POSINT:syslog_pri}>fenotify-%{UID:uid}.alert: .?*\|.?*\|.?*\|.?*\|.?*\|%{DATA:type}\|.?*\|%{GREEDYDATA:fedata} diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patters/sourcefire b/opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/sourcefire similarity index 100% rename from opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patters/sourcefire rename to opensoc-streaming/OpenSOC-MessageParsers/src/main/resources/patterns/sourcefire diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicBroParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicBroParserTest.java new file mode 100644 index 0000000000..e581299153 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicBroParserTest.java @@ -0,0 +1,103 @@ +package com.opensoc.parsing.test; + +import java.util.Map; + +import junit.framework.TestCase; + +import org.json.simple.JSONArray; +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; + +import com.opensoc.parsing.parsers.BasicBroParser; + +public class BasicBroParserTest extends TestCase { + + /** + * The parser. + */ + private BasicBroParser broParser = null; + private JSONParser jsonParser = null; + + /** + * Constructs a new BasicBroParserTest instance. + * + * @throws Exception + */ + public BasicBroParserTest() throws Exception { + broParser = new BasicBroParser(); + jsonParser = new JSONParser(); + } + + @SuppressWarnings("rawtypes") + public void testHttpBroMessage() throws ParseException { + String rawMessage = "{\"http\":{\"ts\":1402307733473,\"uid\":\"CTo78A11g7CYbbOHvj\",\"id.orig_h\":\"192.249.113.37\",\"id.orig_p\":58808,\"id.resp_h\":\"72.163.4.161\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.cisco.com\",\"uri\":\"/\",\"user_agent\":\"curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3\",\"request_body_len\":0,\"response_body_len\":25523,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FJDyMC15lxUn5ngPfd\"],\"resp_mime_types\":[\"text/html\"]}}"; + + Map rawMessageMap = (Map) jsonParser.parse(rawMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(rawMessage.getBytes()); + assertEquals(broJson.get("timestamp").toString(), rawJson.get("ts").toString()); + assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); + assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString()); + assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString()); + assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString()); + assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString()); + assertEquals(broJson.get("method").toString(), rawJson.get("method").toString()); + assertEquals(broJson.get("host").toString(), rawJson.get("host").toString()); + assertEquals(broJson.get("resp_mime_types").toString(), rawJson.get("resp_mime_types").toString()); + } + + @SuppressWarnings("rawtypes") + public void testDnsBroMessage() throws ParseException { + String rawMessage = "{\"dns\":{\"ts\":1402308259609,\"uid\":\"CuJT272SKaJSuqO0Ia\",\"id.orig_h\":\"10.122.196.204\",\"id.orig_p\":33976,\"id.resp_h\":\"144.254.71.184\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":62418,\"query\":\"www.cisco.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":28,\"qtype_name\":\"AAAA\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"www.cisco.com.akadns.net\",\"origin-www.cisco.com\",\"2001:420:1201:2::a\"],\"TTLs\":[3600.0,289.0,14.0],\"rejected\":false}}"; + + Map rawMessageMap = (Map) jsonParser.parse(rawMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(rawMessage.getBytes()); + assertEquals(broJson.get("timestamp").toString(), rawJson.get("ts").toString()); + assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); + assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString()); + assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString()); + assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString()); + assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + assertEquals(broJson.get("qtype").toString(), rawJson.get("qtype").toString()); + assertEquals(broJson.get("trans_id").toString(), rawJson.get("trans_id").toString()); + } + + @SuppressWarnings("rawtypes") + public void testFilesBroMessage() throws ParseException { + String rawMessage = "{\"files\":{\"analyzers\": [\"X509\",\"MD5\",\"SHA1\"],\"conn_uids\":[\"C4tygJ3qxJBEJEBCeh\"],\"depth\": 0,\"duration\": 0.0,\"fuid\":\"FZEBC33VySG0nHSoO9\",\"is_orig\": false,\"local_orig\": false,\"md5\": \"eba37166385e3ef42464ed9752e99f1b\",\"missing_bytes\": 0,\"overflow_bytes\": 0,\"rx_hosts\": [\"10.220.15.205\"],\"seen_bytes\": 1136,\"sha1\": \"73e42686657aece354fbf685712361658f2f4357\",\"source\": \"SSL\",\"timedout\": false,\"ts\": \"1425845251334\",\"tx_hosts\": [\"68.171.237.7\"]}}"; + + Map rawMessageMap = (Map) jsonParser.parse(rawMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(rawMessage.getBytes()); + assertEquals(broJson.get("timestamp").toString(), rawJson.get("ts").toString()); + assertEquals(broJson.get("ip_src_addr").toString(), ((JSONArray)rawJson.get("tx_hosts")).get(0).toString()); + assertEquals(broJson.get("ip_dst_addr").toString(), ((JSONArray)rawJson.get("rx_hosts")).get(0).toString()); + assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase())); + + assertEquals(broJson.get("fuid").toString(), rawJson.get("fuid").toString()); + assertEquals(broJson.get("md5").toString(), rawJson.get("md5").toString()); + assertEquals(broJson.get("analyzers").toString(), rawJson.get("analyzers").toString()); + } + + @SuppressWarnings("rawtypes") + public void testProtocolKeyCleanedUp() throws ParseException { + String rawMessage = "{\"ht*tp\":{\"ts\":1402307733473,\"uid\":\"CTo78A11g7CYbbOHvj\",\"id.orig_h\":\"192.249.113.37\",\"id.orig_p\":58808,\"id.resp_h\":\"72.163.4.161\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.cisco.com\",\"uri\":\"/\",\"user_agent\":\"curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3\",\"request_body_len\":0,\"response_body_len\":25523,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FJDyMC15lxUn5ngPfd\"],\"resp_mime_types\":[\"text/html\"]}}"; + + Map rawMessageMap = (Map) jsonParser.parse(rawMessage); + JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next()); + + JSONObject broJson = broParser.parse(rawMessage.getBytes()); + + assertEquals(broJson.get("timestamp").toString(), rawJson.get("ts").toString()); + assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString()); + assertTrue(broJson.get("original_string").toString().startsWith("HTTP")); + } +} diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicFireEyeParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicFireEyeParserTest.java new file mode 100644 index 0000000000..463890b215 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicFireEyeParserTest.java @@ -0,0 +1,141 @@ +/** + * + */ +package com.opensoc.parsing.test; + + + +import java.util.Iterator; +import java.util.Map; + +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; + +import com.opensoc.parsing.parsers.BasicFireEyeParser; +import com.opensoc.test.AbstractConfigTest; + +/** + *
    + *
  • Title: Test For SourceFireParser
    • + *
  • Description:
    • + *
  • Created: July 8, 2014
    • + *
+ * @version $Revision: 1.0 $ + */ +public class BasicFireEyeParserTest extends AbstractConfigTest +{ + /** + * The inputStrings. + */ + private static String[] inputStrings; + + /** + * The parser. + */ + private BasicFireEyeParser parser=null; + + + /** + * Constructs a new BasicFireEyeParserTest instance. + * @throws Exception + */ + public BasicFireEyeParserTest() throws Exception { + super(); + } + + + /** + * @throws java.lang.Exception + */ + public static void setUpBeforeClass() throws Exception { + } + + /** + * @throws java.lang.Exception + */ + public static void tearDownAfterClass() throws Exception { + } + + /** + * @throws java.lang.Exception + */ + public void setUp() throws Exception { + super.setUp("com.opensoc.parsing.test.BasicFireEyeParserTest"); + setInputStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + parser = new BasicFireEyeParser(); + } + + /** + * + * + * @throws java.lang.Exception + */ + public void tearDown() throws Exception { + parser = null; + setInputStrings(null); + } + + /** + * Test method for {@link com.opensoc.parsing.parsers.BasicFireEyeParser#parse(java.lang.String)}. + */ + @SuppressWarnings({ "rawtypes"}) + public void testParse() { + for (String inputString : getInputStrings()) { + JSONObject parsed = parser.parse(inputString.getBytes()); + assertNotNull(parsed); + + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + } catch (ParseException e) { + e.printStackTrace(); + } + Iterator iter = json.entrySet().iterator(); + + assertNotNull(json); + assertFalse(json.isEmpty()); + + + while (iter.hasNext()) { + Map.Entry entry = (Map.Entry) iter.next(); + String key = (String) entry.getKey(); + String value = (String) json.get(key).toString(); + assertNotNull(value); + } + } + } + + /** + * Returns Input String + */ + public static String[] getInputStrings() { + return inputStrings; + } + + /** + * Sets SourceFire Input String + */ + public static void setInputStrings(String[] strings) { + BasicFireEyeParserTest.inputStrings = strings; + } + + /** + * Returns the parser. + * @return the parser. + */ + public BasicFireEyeParser getParser() { + return parser; + } + + /** + * Sets the parser. + * @param parser the parser. + */ + public void setParser(BasicFireEyeParser parser) { + + this.parser = parser; + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicIseParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicIseParserTest.java index 5d58cc5862..1a872c21e7 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicIseParserTest.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicIseParserTest.java @@ -16,22 +16,17 @@ */ package com.opensoc.parsing.test; -import java.io.BufferedReader; -import java.io.FileReader; import java.io.IOException; import java.net.URL; - -import junit.framework.TestCase; +import java.util.Map; import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; -import com.fasterxml.jackson.databind.JsonNode; -import com.github.fge.jackson.JsonLoader; -import com.github.fge.jsonschema.core.report.ProcessingReport; -import com.github.fge.jsonschema.main.JsonSchemaFactory; -import com.github.fge.jsonschema.main.JsonValidator; import com.opensoc.parsing.parsers.BasicIseParser; +import com.opensoc.test.AbstractSchemaTest; + /** *
    @@ -42,11 +37,18 @@ * * @version $Revision: 1.1 $ */ -public class BasicIseParserTest extends TestCase { - private static String rawMessage = ""; - private static BasicIseParser iseParser = null; - private static String schema_string; +public class BasicIseParserTest extends AbstractSchemaTest { + /** + * The inputStrings. + */ + private static String[] inputStrings; + + /** + * The parser. + */ + private static BasicIseParser parser = null; + /** * Constructs a new BasicIseParserTest instance. @@ -63,8 +65,6 @@ public BasicIseParserTest(String name) { * @throws java.lang.Exception */ protected static void setUpBeforeClass() throws Exception { - setRawMessage("Aug 6 17:26:31 10.34.84.145 Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024855 1 0 2014-08-07 00:45:43.741 -07:00 0000288542 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, EndpointOUI=Wistron InfoComm(Kunshan)Co.\\,Ltd., EndpointPolicy=Nortel-Device, EndpointProperty=StaticAssignment=false\\,PostureApplicable=Yes\\,PolicyVersion=402\\,IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\\,Total Certainty Factor=10\\,BYODRegistration=Unknown\\,FeedService=false\\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\,FirstCollection=1407397543718\\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\\,TimeToProfile=19\\,StaticGroupAssignment=false\\,NmapSubnetScanID=0\\,DeviceRegistrationStatus=NotRegistered\\,PortalUser=, EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com,"); - } /** @@ -72,7 +72,6 @@ protected static void setUpBeforeClass() throws Exception { * @throws java.lang.Exception */ protected static void tearDownAfterClass() throws Exception { - setRawMessage(""); } /* @@ -82,14 +81,13 @@ protected static void tearDownAfterClass() throws Exception { */ protected void setUp() throws Exception { - super.setUp(); - assertNotNull(getRawMessage()); - BasicIseParserTest.setIseParser(new BasicIseParser()); + super.setUp("com.opensoc.parsing.test.BasicLancopeParserTest"); + setInputStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + BasicIseParserTest.setIseParser(new BasicIseParser()); URL schema_url = getClass().getClassLoader().getResource( "TestSchemas/IseSchema.json"); - - schema_string = readSchemaFromFile(schema_url); + super.setSchemaJsonString(super.readSchemaFromFile(schema_url)); } /* @@ -110,44 +108,21 @@ protected void tearDown() throws Exception { * @throws Exception */ public void testParse() throws ParseException, IOException, Exception { - // JSONObject parsed = iseParser.parse(getRawMessage().getBytes()); - // assertNotNull(parsed); - - URL log_url = getClass().getClassLoader().getResource("IseSample.log"); - - BufferedReader br = new BufferedReader(new FileReader(log_url.getFile())); - String line = ""; - while ((line = br.readLine()) != null) { - System.out.println(line); - JSONObject parsed = iseParser.parse(line.getBytes()); - System.out.println(parsed); - assertEquals(true, validateJsonData(schema_string, parsed.toString())); - - } - br.close(); - - } - - /** - * Returns the rawMessage. - * - * @return the rawMessage. - */ - - public static String getRawMessage() { - return rawMessage; - } - - /** - * Sets the rawMessage. - * - * @param rawMessage - * the rawMessage. - */ - - public static void setRawMessage(String rawMessage) { - - BasicIseParserTest.rawMessage = rawMessage; + for (String inputString : getInputStrings()) { + JSONObject parsed = parser.parse(inputString.getBytes()); + assertNotNull(parsed); + + System.out.println(parsed); + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + assertEquals(true, validateJsonData(super.getSchemaJsonString(), json.toString())); + } catch (ParseException e) { + e.printStackTrace(); + } + } } /** @@ -157,54 +132,38 @@ public static void setRawMessage(String rawMessage) { */ public BasicIseParser getIseParser() { - return iseParser; + return parser; } /** * Sets the iseParser. * * @param iseParser - * the iseParser. */ - public static void setIseParser(BasicIseParser iseParser) { - - BasicIseParserTest.iseParser = iseParser; - } - - private boolean validateJsonData(final String jsonSchema, final String jsonData) - throws Exception { - - final JsonNode d = JsonLoader.fromString(jsonData); - final JsonNode s = JsonLoader.fromString(jsonSchema); - - final JsonSchemaFactory factory = JsonSchemaFactory.byDefault(); - JsonValidator v = factory.getValidator(); - ProcessingReport report = v.validate(s, d); - System.out.println(report); - - return report.toString().contains("success"); + public static void setIseParser(BasicIseParser parser) { + BasicIseParserTest.parser = parser; } + /** + * Returns the inputStrings. + * @return the inputStrings. + */ + + public static String[] getInputStrings() { + return inputStrings; + } + + /** + * Sets the inputStrings. + * @param inputStrings the inputStrings. + */ + + public static void setInputStrings(String[] inputStrings) { + BasicIseParserTest.inputStrings = inputStrings; + } - private String readSchemaFromFile(URL schema_url) throws Exception { - BufferedReader br = new BufferedReader(new FileReader( - schema_url.getFile())); - String line; - StringBuilder sb = new StringBuilder(); - while ((line = br.readLine()) != null) { - System.out.println(line); - sb.append(line); - } - br.close(); - - String schema_string = sb.toString().replaceAll("\n", ""); - schema_string = schema_string.replaceAll(" ", ""); - System.out.println("Read in schema: " + schema_string); - return schema_string; - - } } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicLancopeParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicLancopeParserTest.java index cfdf6e1296..126b6be277 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicLancopeParserTest.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicLancopeParserTest.java @@ -16,16 +16,16 @@ */ package com.opensoc.parsing.test; -import java.util.Iterator; +import java.io.IOException; +import java.net.URL; import java.util.Map; -import junit.framework.TestCase; - import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; import com.opensoc.parsing.parsers.BasicLancopeParser; +import com.opensoc.test.AbstractSchemaTest; /** *
      @@ -35,10 +35,18 @@ *
    * @version $Revision: 1.1 $ */ -public class BasicLancopeParserTest extends TestCase { +public class BasicLancopeParserTest extends AbstractSchemaTest { + + /** + * The inputStrings. + */ + private static String[] inputStrings; - private static String rawMessage = ""; - private static BasicLancopeParser lancopeParser=null; + + /** + * The parser. + */ + private static BasicLancopeParser parser=null; /** * Constructs a new BasicLancopeParserTest instance. @@ -53,8 +61,7 @@ public BasicLancopeParserTest(String name) { * @throws java.lang.Exception */ - protected static void setUpBeforeClass() throws Exception { - setRawMessage("{\"message\":\"<131>Jul 17 15:59:01 smc-01 StealthWatch[12365]: 2014-07-17T15:58:30Z 10.40.10.254 0.0.0.0 Minor High Concern Index The host's concern index has either exceeded the CI threshold or rapidly increased. Observed 36.55M points. Policy maximum allows up to 20M points.\",\"@version\":\"1\",\"@timestamp\":\"2014-07-17T15:56:05.992Z\",\"type\":\"syslog\",\"host\":\"10.122.196.201\"}"); + protected static void setUpBeforeClass() throws Exception { } /** @@ -70,10 +77,13 @@ protected static void tearDownAfterClass() throws Exception { */ protected void setUp() throws Exception { - super.setUp(); - setRawMessage("{\"message\":\"<131>Jul 17 15:59:01 smc-01 StealthWatch[12365]: 2014-07-17T15:58:30Z 10.40.10.254 0.0.0.0 Minor High Concern Index The host's concern index has either exceeded the CI threshold or rapidly increased. Observed 36.55M points. Policy maximum allows up to 20M points.\",\"@version\":\"1\",\"@timestamp\":\"2014-07-17T15:56:05.992Z\",\"type\":\"syslog\",\"host\":\"10.122.196.201\"}"); - assertNotNull(getRawMessage()); - BasicLancopeParserTest.setLancopeParser(new BasicLancopeParser()); + super.setUp("com.opensoc.parsing.test.BasicLancopeParserTest"); + setInputStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + BasicLancopeParserTest.setParser(new BasicLancopeParser()); + + URL schema_url = getClass().getClassLoader().getResource( + "TestSchemas/LancopeSchema.json"); + super.setSchemaJsonString(super.readSchemaFromFile(schema_url)); } /* @@ -87,70 +97,64 @@ protected void tearDown() throws Exception { /** * Test method for {@link com.opensoc.parsing.parsers.BasicLancopeParser#parse(byte[])}. + * @throws Exception + * @throws IOException */ - public void testParse() { - byte messages[] = getRawMessage().getBytes(); - assertNotNull(messages); - JSONObject parsed = lancopeParser.parse(getRawMessage().getBytes()); - assertNotNull(parsed); + public void testParse() throws IOException, Exception { - System.out.println(parsed); - JSONParser parser = new JSONParser(); + for (String inputString : getInputStrings()) { + JSONObject parsed = parser.parse(inputString.getBytes()); + assertNotNull(parsed); - Map json=null; - try { - json = (Map) parser.parse(parsed.toJSONString()); - } catch (ParseException e) { - e.printStackTrace(); + System.out.println(parsed); + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + assertEquals(true, validateJsonData(super.getSchemaJsonString(), json.toString())); + } catch (ParseException e) { + e.printStackTrace(); + } } - Iterator iter = json.entrySet().iterator(); - - - while (iter.hasNext()) { - Map.Entry entry = (Map.Entry) iter.next(); - String key = (String) entry.getKey(); - assertNotNull((String) json.get("original_string").toString()); - - assertNotNull((String)json.get("ip_src_addr").toString()); - assertNotNull((String)json.get("ip_dst_addr").toString()); - } - } - - /** - * Returns the rawMessage. - * @return the rawMessage. - */ - - public static String getRawMessage() { - return BasicLancopeParserTest.rawMessage; } /** - * Sets the rawMessage. - * @param rawMessage the rawMessage. - */ - - public static void setRawMessage(String rawMessage) { - - BasicLancopeParserTest.rawMessage = rawMessage; - } - /** - * Returns the lancopeParser. - * @return the lancopeParser. - */ - - public static BasicLancopeParser getLancopeParser() { - return lancopeParser; - } - - /** - * Sets the lancopeParser. - * @param lancopeParser the lancopeParser. - */ - - public static void setLancopeParser(BasicLancopeParser lancopeParser) { - - BasicLancopeParserTest.lancopeParser = lancopeParser; - } + * Returns the parser. + * @return the parser. + */ + + public static BasicLancopeParser getParser() { + return parser; + } + + /** + * Sets the parser. + * @param parser the parser. + */ + + public static void setParser(BasicLancopeParser parser) { + + BasicLancopeParserTest.parser = parser; + } + + /** + * Returns the inputStrings. + * @return the inputStrings. + */ + + public static String[] getInputStrings() { + return inputStrings; + } + + /** + * Sets the inputStrings. + * @param inputStrings the inputStrings. + */ + + public static void setInputStrings(String[] inputStrings) { + + BasicLancopeParserTest.inputStrings = inputStrings; + } } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicPaloAltoFirewallParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicPaloAltoFirewallParserTest.java new file mode 100644 index 0000000000..23203b0128 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicPaloAltoFirewallParserTest.java @@ -0,0 +1,136 @@ +package com.opensoc.parsing.test; + +import java.util.Iterator; +import java.util.Map; + +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; + +import com.opensoc.parsing.parsers.BasicPaloAltoFirewallParser; +import com.opensoc.test.AbstractConfigTest; + +public class BasicPaloAltoFirewallParserTest extends AbstractConfigTest { + /** + * The inputStrings. + */ + private static String[] inputStrings; + + /** + * Constructs a new BasicPaloAltoFirewallParserTest instance. + * @throws Exception + */ + public BasicPaloAltoFirewallParserTest() throws Exception { + super(); + } + + /** + * Sets the inputStrings. + * @param inputStrings the inputStrings. + */ + + public static void setInputStrings(String[] inputStrings) { + + BasicPaloAltoFirewallParserTest.inputStrings = inputStrings; + } + + /** + * The paParser. + */ + private BasicPaloAltoFirewallParser paParser=null; + + /** + * @throws java.lang.Exception + */ + public static void setUpBeforeClass() throws Exception { + } + + /** + * @throws java.lang.Exception + */ + public static void tearDownAfterClass() throws Exception { + setPAStrings(null); + } + + /** + * @throws java.lang.Exception + */ + public void setUp() throws Exception { + super.setUp("com.opensoc.parsing.test.BasicPaloAltoFirewallParserTest"); + setPAStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + paParser = new BasicPaloAltoFirewallParser(); + } + + /** + * + * + * @throws java.lang.Exception + */ + public void tearDown() throws Exception { + paParser = null; + } + + /** + * Test method for {@link com.opensoc.parsing.parsers.BasicSourcefireParser#parse(java.lang.String)}. + */ + @SuppressWarnings({ "rawtypes" }) + public void testParse() { + for (String inputString : getInputStrings()) { + JSONObject parsed = paParser.parse(inputString.getBytes()); + assertNotNull(parsed); + + System.out.println(parsed); + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + } catch (ParseException e) { + e.printStackTrace(); + } + Iterator iter = json.entrySet().iterator(); + + + while (iter.hasNext()) { + Map.Entry entry = (Map.Entry) iter.next(); + String key = (String) entry.getKey(); + String value = (String) json.get(key).toString(); + assertNotNull(value); + } + } + } + + /** + * Returns Input String + */ + public static String[] getInputStrings() { + return inputStrings; + } + + + /** + * Sets Input String + */ + public static void setPAStrings(String[] strings) { + BasicPaloAltoFirewallParserTest.inputStrings = strings; + } + + /** + * Returns the paParser. + * @return the paParser. + */ + public BasicPaloAltoFirewallParser getPaParser() { + return paParser; + } + + /** + * Sets the paParser. + * @param paParser the paParser. + */ + + public void setPaParser(BasicPaloAltoFirewallParser paParser) { + + this.paParser = paParser; + } + + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicSourcefireParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicSourcefireParserTest.java index 4faeb391d1..15c90e29cf 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicSourcefireParserTest.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BasicSourcefireParserTest.java @@ -8,13 +8,12 @@ import java.util.Iterator; import java.util.Map; -import junit.framework.TestCase; - import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; import com.opensoc.parsing.parsers.BasicSourcefireParser; +import com.opensoc.test.AbstractConfigTest; /** *
      @@ -24,14 +23,28 @@ *
    * @version $Revision: 1.0 $ */ -public class BasicSourcefireParserTest extends TestCase - { - - private static String sourceFireString = ""; - private BasicSourcefireParser sourceFireParser=null; - - - +public class BasicSourcefireParserTest extends AbstractConfigTest +{ + /** + * The sourceFireStrings. + */ + private static String[] sourceFireStrings; + + /** + * The sourceFireParser. + */ + private BasicSourcefireParser sourceFireParser=null; + + + /** + * Constructs a new BasicSourcefireParserTest instance. + * @throws Exception + */ + + public BasicSourcefireParserTest() throws Exception { + super(); + } + /** * @throws java.lang.Exception */ @@ -42,15 +55,16 @@ public static void setUpBeforeClass() throws Exception { * @throws java.lang.Exception */ public static void tearDownAfterClass() throws Exception { - setSourceFireString(""); + setSourceFireStrings(null); } /** * @throws java.lang.Exception */ public void setUp() throws Exception { - setSourceFireString("SFIMS: [Primary Detection Engine (a7213248-6423-11e3-8537-fac6a92b7d9d)][MTD Access Control] Connection Type: Start, User: Unknown, Client: Unknown, Application Protocol: Unknown, Web App: Unknown, Firewall Rule Name: MTD Access Control, Firewall Rule Action: Allow, Firewall Rule Reasons: Unknown, URL Category: Unknown, URL_Reputation: Risk unknown, URL: Unknown, Interface Ingress: s1p1, Interface Egress: N/A, Security Zone Ingress: Unknown, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, {TCP} 72.163.0.129:60517 -> 10.1.128.236:443"); assertNotNull(getSourceFireString()); - sourceFireParser = new BasicSourcefireParser(); + super.setUp("com.opensoc.parsing.test.BasicSoureceFireParserTest"); + setSourceFireStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + sourceFireParser = new BasicSourcefireParser(); } /** @@ -67,41 +81,62 @@ public void tearDown() throws Exception { */ @SuppressWarnings({ "rawtypes", "unused" }) public void testParse() { - JSONObject parsed = sourceFireParser.parse(getSourceFireString().getBytes()); - assertNotNull(parsed); + for (String sourceFireString : getSourceFireStrings()) { + byte[] srcBytes = sourceFireString.getBytes(); + JSONObject parsed = sourceFireParser.parse(sourceFireString.getBytes()); + assertNotNull(parsed); - System.out.println(parsed); - JSONParser parser = new JSONParser(); - - Map json=null; - try { - json = (Map) parser.parse(parsed.toJSONString()); - } catch (ParseException e) { - e.printStackTrace(); - } - Iterator iter = json.entrySet().iterator(); + System.out.println(parsed); + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + } catch (ParseException e) { + e.printStackTrace(); + } + Iterator iter = json.entrySet().iterator(); - while (iter.hasNext()) { - Map.Entry entry = (Map.Entry) iter.next(); - String key = (String) entry.getKey(); - String value = (String) json.get("original_string").toString(); - assertNotNull(value); + while (iter.hasNext()) { + Map.Entry entry = (Map.Entry) iter.next(); + String key = (String) entry.getKey(); + String value = (String) json.get("original_string").toString(); + assertNotNull(value); + } } } /** * Returns SourceFire Input String */ - public static String getSourceFireString() { - return sourceFireString; + public static String[] getSourceFireStrings() { + return sourceFireStrings; } /** * Sets SourceFire Input String */ - public static void setSourceFireString(String sourceFireString) { - BasicSourcefireParserTest.sourceFireString = sourceFireString; + public static void setSourceFireStrings(String[] strings) { + BasicSourcefireParserTest.sourceFireStrings = strings; } + /** + * Returns the sourceFireParser. + * @return the sourceFireParser. + */ + + public BasicSourcefireParser getSourceFireParser() { + return sourceFireParser; + } + + /** + * Sets the sourceFireParser. + * @param sourceFireParser the sourceFireParser. + */ + + public void setSourceFireParser(BasicSourcefireParser sourceFireParser) { + + this.sourceFireParser = sourceFireParser; + } } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BroParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BroParserTest.java index 6742011ee5..6c800d1d65 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BroParserTest.java +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/BroParserTest.java @@ -11,9 +11,8 @@ import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; -import junit.framework.TestCase; - import com.opensoc.parsing.parsers.BasicBroParser; +import com.opensoc.test.AbstractConfigTest; /** *
      @@ -23,15 +22,34 @@ *
    * @version $Revision: 1.0 $ */ -public class BroParserTest extends TestCase { + + /** + *
      + *
    • Title:
      • + *
    • Description:
      • + *
    • Created: Feb 20, 2015
      • + *
    + * @author $Author: $ + * @version $Revision: 1.1 $ + */ +public class BroParserTest extends AbstractConfigTest { + - private static String broJsonString=""; - private static BasicBroParser broParser=null; + /** + * The inputStrings. + */ + private static String[] inputStrings; + + /** + * The parser. + */ + private BasicBroParser parser=null; /** * Constructs a new BroParserTest instance. + * @throws Exception */ - public BroParserTest() { + public BroParserTest() throws Exception { super(); } @@ -40,23 +58,21 @@ public BroParserTest() { * @throws java.lang.Exception */ public static void setUpBeforeClass() throws Exception { - } /** * @throws java.lang.Exception */ public static void tearDownAfterClass() throws Exception { - setBroJsonString(""); } /** * @throws java.lang.Exception */ public void setUp() throws Exception { - setBroJsonString("{\"http\":{\"ts\":1402307733473,\"uid\":\"CTo78A11g7CYbbOHvj\",\"id.orig_h\":\"192.249.113.37\",\"id.orig_p\":58808,\"id.resp_h\":\"72.163.4.161\",\"id.resp_p\":80,\"trans_depth\":1,\"method\":\"GET\",\"host\":\"www.cisco.com\",\"uri\":\"/\",\"user_agent\":\"curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3\",\"request_body_len\":0,\"response_body_len\":25523,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"resp_fuids\":[\"FJDyMC15lxUn5ngPfd\"],\"resp_mime_types\":[\"text/html\"]}}"); - assertNotNull(getBroJsonString()); - BroParserTest.setBroParser(new BasicBroParser()); + super.setUp("com.opensoc.parsing.test.BroParserTest"); + setInputStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + parser = new BasicBroParser(); } /** @@ -67,56 +83,64 @@ public void setUp() throws Exception { @SuppressWarnings({ "unused", "rawtypes" }) public void testParse() throws ParseException { + for (String inputString : getInputStrings()) { + JSONObject cleanJson = parser.parse(inputString.getBytes()); + assertNotNull(cleanJson); + System.out.println(cleanJson); - BasicBroParser broparser = new BasicBroParser(); - assertNotNull(getBroJsonString()); - JSONObject cleanJson = broparser.parse(getBroJsonString().getBytes()); - assertNotNull(cleanJson); - System.out.println(cleanJson); + Pattern p = Pattern.compile("[^\\._a-z0-9 ]", + Pattern.CASE_INSENSITIVE); + JSONParser parser = new JSONParser(); - Pattern p = Pattern.compile("[^\\._a-z0-9 ]", Pattern.CASE_INSENSITIVE); + Map json = (Map) cleanJson; + Map output = new HashMap(); + Iterator iter = json.entrySet().iterator(); - JSONParser parser = new JSONParser(); + while (iter.hasNext()) { + Map.Entry entry = (Map.Entry) iter.next(); + String key = (String) entry.getKey(); - Map json = (Map) cleanJson; - Map output = new HashMap(); - Iterator iter = json.entrySet().iterator(); - - while (iter.hasNext()) { - Map.Entry entry = (Map.Entry) iter.next(); - String key = (String) entry.getKey(); - - Matcher m = p.matcher(key); - boolean b = m.find(); - // Test False - assertFalse(b); + Matcher m = p.matcher(key); + boolean b = m.find(); + // Test False + assertFalse(b); + } } } - /** - * Returns the instance of BroParser - */ - public static BasicBroParser getBroParser() { - return broParser; + + /** + * Returns Input String + */ + public static String[] getInputStrings() { + return inputStrings; } - /** - * Sets the instance of BroParser - */ - public static void setBroParser(BasicBroParser broParser) { - BroParserTest.broParser = broParser; + + /** + * Sets SourceFire Input String + */ + public static void setInputStrings(String[] strings) { + BroParserTest.inputStrings = strings; } + /** - * Return BroPaser JSON String + * Returns the parser. + * @return the parser. */ - public static String getBroJsonString() { - return BroParserTest.broJsonString; - } + + public BasicBroParser getParser() { + return parser; + } + /** - * Sets BroPaser JSON String + * Sets the parser. + * @param parser the parser. */ - public static void setBroJsonString(String broJsonString) { - BroParserTest.broJsonString = broJsonString; - } + + public void setParser(BasicBroParser parser) { + + this.parser = parser; + } } diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/GrokAsaParserTest.java b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/GrokAsaParserTest.java new file mode 100644 index 0000000000..37196346e1 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/java/com/opensoc/parsing/test/GrokAsaParserTest.java @@ -0,0 +1,149 @@ +package com.opensoc.parsing.test; + +import java.util.Iterator; +import java.util.Map; + +import org.json.simple.JSONObject; +import org.json.simple.parser.JSONParser; +import org.json.simple.parser.ParseException; + +import com.opensoc.parsing.parsers.GrokAsaParser; +import com.opensoc.test.AbstractConfigTest; + + + /** + *
      + *
    • Title:
      • + *
    • Description:
      • + *
    • Created: Feb 17, 2015 by:
      • + *
    + * @author $Author: $ + * @version $Revision: 1.1 $ + */ +public class GrokAsaParserTest extends AbstractConfigTest{ + /** + * The grokAsaStrings. + */ + private static String[] grokAsaStrings=null; + + /** + * The grokAsaParser. + */ + + private GrokAsaParser grokAsaParser=null; + + /** + * Constructs a new GrokAsaParserTest instance. + * @throws Exception + */ + + public GrokAsaParserTest() throws Exception { + super(); + + } + /** + * @throws java.lang.Exception + */ + public static void setUpBeforeClass() throws Exception { + } + + /** + * @throws java.lang.Exception + */ + public static void tearDownAfterClass() throws Exception { + setGrokAsaStrings(null); + } + + /* + * (non-Javadoc) + * @see junit.framework.TestCase#setUp() + */ + public void setUp() throws Exception { + super.setUp("com.opensoc.parsing.test.GrokAsaParserTest"); + setGrokAsaStrings(super.readTestDataFromFile(this.getConfig().getString("logFile"))); + grokAsaParser = new GrokAsaParser(); + } + + /** + * + * + * @throws java.lang.Exception + */ + public void tearDown() throws Exception { + grokAsaParser = null; + } + + /** + * Test method for {@link com.opensoc.parsing.parsers.BasicSourcefireParser#parse(java.lang.String)}. + */ + @SuppressWarnings({ "rawtypes" }) + public void testParse() { + + for (String grokAsaString : getGrokAsaStrings()) { + JSONObject parsed = grokAsaParser.parse(grokAsaString.getBytes()); + assertNotNull(parsed); + + System.out.println(parsed); + JSONParser parser = new JSONParser(); + + Map json=null; + try { + json = (Map) parser.parse(parsed.toJSONString()); + } catch (ParseException e) { + e.printStackTrace(); + } + //Ensure JSON returned is not null/empty + assertNotNull(json); + + Iterator iter = json.entrySet().iterator(); + + + while (iter.hasNext()) { + Map.Entry entry = (Map.Entry) iter.next(); + assertNotNull(entry); + + String key = (String) entry.getKey(); + assertNotNull(key); + + String value = (String) json.get("CISCO_TAGGED_SYSLOG").toString(); + assertNotNull(value); + } + } + } + + /** + * Returns GrokAsa Input String + */ + public static String[] getGrokAsaStrings() { + return grokAsaStrings; + } + + + /** + * Sets GrokAsa Input String + */ + public static void setGrokAsaStrings(String[] strings) { + GrokAsaParserTest.grokAsaStrings = strings; + } + + /** + * Returns the grokAsaParser. + * @return the grokAsaParser. + */ + + public GrokAsaParser getGrokAsaParser() { + return grokAsaParser; + } + + + /** + * Sets the grokAsaParser. + * @param grokAsaParser the grokAsaParser. + */ + + public void setGrokAsaParser(GrokAsaParser grokAsaParser) { + + this.grokAsaParser = grokAsaParser; + } + + } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/BroParserTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/BroParserTest.log new file mode 100644 index 0000000000..e71f28eb3a --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/BroParserTest.log @@ -0,0 +1,3 @@ +{"http":{"ts":1402307733473,"uid":"CTo78A11g7CYbbOHvj","id.orig_h":"192.249.113.37","id.orig_p":58808,"id.resp_h":"72.163.4.161","id.resp_p":80,"trans_depth":1,"method":"GET","host":"www.cisco.com","uri":"/","user_agent":"curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3","request_body_len":0,"response_body_len":25523,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FJDyMC15lxUn5ngPfd"],"resp_mime_types":["text/html"]}} +{"dns":{"ts":1402308259609,"uid":"CuJT272SKaJSuqO0Ia","id.orig_h":"10.122.196.204","id.orig_p":33976,"id.resp_h":"144.254.71.184","id.resp_p":53,"proto":"udp","trans_id":62418,"query":"www.cisco.com","qclass":1,"qclass_name":"C_INTERNET","qtype":28,"qtype_name":"AAAA","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["www.cisco.com.akadns.net","origin-www.cisco.com","2001:420:1201:2::a"],"TTLs":[3600.0,289.0,14.0],"rejected":false}} +{"files":{"analyzers": ["X509","MD5","SHA1"],"conn_uids":["C4tygJ3qxJBEJEBCeh"],"depth": 0,"duration": 0.0,"fuid":"FZEBC33VySG0nHSoO9","is_orig": false,"local_orig": false,"md5": "eba37166385e3ef42464ed9752e99f1b","missing_bytes": 0,"overflow_bytes": 0,"protocol": "files","rx_hosts": ["10.220.15.205"],"seen_bytes": 1136,"sha1": "73e42686657aece354fbf685712361658f2f4357","source": "SSL","timedout": false,"ts": "1425845251334","tx_hosts": ["68.171.237.7"]}} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/FireEyeParserTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/FireEyeParserTest.log new file mode 100644 index 0000000000..6d7f04b3b6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/FireEyeParserTest.log @@ -0,0 +1,8 @@ +<164>Mar 19 05:24:39 10.220.15.15 fenotify-851983.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:28:26 UTC dvc=10.201.78.57 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54527 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851983 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\\=851983 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>Mar 19 05:24:39 10.220.15.15 fenotify-851987.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:33:41 UTC dvc=10.201.78.113 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51218 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851987 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\\=851987 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>Mar 19 05:24:39 10.220.15.15 fenotify-3483808.2.alert: 1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP +<164>Mar 19 05:24:39 10.220.15.15 fenotify-793972.2.alert: Control: no-cache::~~::~~ dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Exploit.Kit.Magnitude +<161>Apr 1 05:24:39 10.220.15.15 fenotify-864461.alert: CEF:0|FireEye|CMS|7.5.1.318703|DM|domain-match|1|rt=Mar 19 2015 12:23:47 UTC src=10.191.193.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=abc123.example.com proto=udp spt=60903 cs5Label=cncHost cs5=mfdclk001.org dvchost=ABC123 dvc=10.190.1.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=864461 cs4Label=link cs4=https:\/\/ABC123.example.com\/event_stream\/events_for_bot?ev_id\\=864461 act=notified dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +fireeye[-]: <161>Mar 19 05:24:39 10.220.15.15 fenotify-864461.alert: CEF:0|FireEye|CMS|7.5.1.318703|DM|domain-match|1|rt=Mar 19 2015 12:23:47 UTC src=10.191.193.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=abc123.example.com proto=udp spt=60903 cs5Label=cncHost cs5=mfdclk001.org dvchost=ABC123 dvc=10.190.1.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=864461 cs4Label=link cs4=https:\/\/ABC123.example.com\/event_stream\/events_for_bot?ev_id\\=864461 act=notified dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +fireeye[-]: <161>Apr 1 02:49:49 10.220.15.15 fenotify-900702.alert: CEF:0|FireEye|CMS|7.5.1.318703|DM|domain-match|1|rt=Apr 01 2015 09:49:14 UTC src=10.1.97.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=abcd0060xzy03.example.com proto=udp spt=63100 cs5Label=cncHost cs5=mfdclk001.org dvchost=DEV1FEYE1 dvc=10.220.15.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=900702 cs4Label=link cs4=https://ABCD0040CMS01.example.com/event_stream/events_for_bot?ev_id\=900702 act=notified dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<161>Apr 11 05:24:39 10.220.15.15 fenotify-864461.alert: CEF:0|FireEye|CMS|7.5.1.318703|DM|domain-match|1|rt=Mar 19 2015 12:23:47 UTC src=10.191.193.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=abc123.example.com proto=udp spt=60903 cs5Label=cncHost cs5=mfdclk001.org dvchost=ABC123 dvc=10.190.1.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=864461 cs4Label=link cs4=https:\/\/ABC123.example.com\/event_stream\/events_for_bot?ev_id\\=864461 act=notified dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/GrokParserTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/GrokParserTest.log new file mode 100644 index 0000000000..3141d75217 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/GrokParserTest.log @@ -0,0 +1,12 @@ +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51/51231 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2103 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.226/45019 flags SYN ACK on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151/443 to inside:10.22.8.188/64306 duration 0:00:31 bytes 10128 TCP FINs +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151/443 to inside:10.22.8.188/64307 duration 0:00:30 bytes 6370 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24/2134 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9785 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89/56917(LOCAL\\user.name) to inside:216.111.72.126/443 duration 0:00:00 bytes 0 TCP FINs (user.name)", +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/49192 to outside:224.111.72.252/5355 +<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205 +<166>Jan 5 15:52:35 10.22.8.33 : %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2/62251 to outside:79.111.72.174/21311 duration 0:02:30 +<158>Mar 6 07:30:00 NSAN2FWMDF1 : %ASA-6-302021: Teardown ICMP connection for faddr 10.220.5.50/50074 gaddr 10.220.19.147/0 laddr 10.220.19.147/0 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/IseSample.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/IseParserTest.log similarity index 100% rename from opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/IseSample.log rename to opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/IseParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/LancopeParserTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/LancopeParserTest.log new file mode 100644 index 0000000000..0e4bf74f2b --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/LancopeParserTest.log @@ -0,0 +1 @@ +{"message":"<131>Jul 17 15:59:01 smc-01 StealthWatch[12365]: 2014-07-17T15:58:30Z 10.40.10.254 0.0.0.0 Minor High Concern Index The host's concern index has either exceeded the CI threshold or rapidly increased. Observed 36.55M points. Policy maximum allows up to 20M points.","@version":"1","@timestamp":"2014-07-17T15:56:05.992Z","type":"syslog","host":"10.122.196.201"} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/PaloAltoFirewallParserTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/PaloAltoFirewallParserTest.log new file mode 100644 index 0000000000..c58bcc8614 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/PaloAltoFirewallParserTest.log @@ -0,0 +1,2 @@ +<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33760927,1,52688,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932062,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,4 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/SourceFireTest.log b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/SourceFireTest.log new file mode 100644 index 0000000000..af257aa4b5 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/SourceFireTest.log @@ -0,0 +1,3 @@ +SFIMS: [Primary Detection Engine (a7213248-6423-11e3-8537-fac6a92b7d9d)][MTD Access Control] Connection Type: Start, User: Unknown, Client: Unknown, Application Protocol: Unknown, Web App: Unknown, Firewall Rule Name: MTD Access Control, Firewall Rule Action: Allow, Firewall Rule Reasons: Unknown, URL Category: Unknown, URL_Reputation: Risk unknown, URL: Unknown, Interface Ingress: s1p1, Interface Egress: N/A, Security Zone Ingress: Unknown, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, {TCP} 72.163.0.129:60517 -> 10.1.128.236:443 +snort: [1:3192:2] WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 46.149.110.103:80 -> 192.168.56.102:1073 +SFIMS: Correlation Event: Open Soc Log Forwarding/Opensoc Log Forwarding at Thu Oct 23 04:55:39 2014 UTC: [1:19123:7] \"MALWARE-CNC Dropper Win.Trojan.Cefyns.A variant outbound connection\" [Impact: Unknown] From \"172.19.50.7\" at Thu Oct 23 04:55:38 2014 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 139.230.245.23:52078->72.52.4.91:80 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/BroSchema.json b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/BroSchema.json new file mode 100644 index 0000000000..0105c195c9 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/BroSchema.json @@ -0,0 +1,28 @@ +{ + "title": "Bro Schema", + "type": "object", + "properties": { + "status_code": { + "type": "integer" + }, + "uid": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "ip_dst_addr": { + "type": "string" + }, + "host": { + "type": "string" + }, + "request_body_len": { + "type": "integer" + }, + "response_body_len": { + "type": "integer" + } + }, + "required": ["status_code", "uid", "protocol","ip_dst_addr","host","request_body_len","response_body_len"] +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/LancopeSchema.json b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/LancopeSchema.json index 12f326f46c..9118a934ec 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/LancopeSchema.json +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/LancopeSchema.json @@ -8,15 +8,21 @@ "ip_dst_addr": { "type": "string" }, - "ip_src_port": { + "original_string": { "type": "string" }, - "ip_dst_port": { + "@version": { "type": "string" }, - "protocol": { + "timestamp": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "host": { "type": "string" } }, - "required": ["ip_src_addr", "ip_dst_addr", "ip_src_port", "ip_dst_port","protocol"] + "required": ["ip_src_addr", "ip_dst_addr", "original_string","@version", "timestamp", "type","host"] } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/SourcefireSchema.json b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/SourcefireSchema.json index 3984b00264..27119099e6 100644 --- a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/SourcefireSchema.json +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/TestSchemas/SourcefireSchema.json @@ -8,15 +8,27 @@ "ip_dst_addr": { "type": "string" }, - "ip_src_port": { + "timestamp": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "original_string": { "type": "string" }, + "original_string": { + "type": "string" + }, + "ip_src_port": { + "type": "string" + }, "ip_dst_port": { "type": "string" }, - "protocol": { + "key": { "type": "string" - } + } }, - "required": ["ip_src_addr", "ip_dst_addr", "ip_src_port", "ip_dst_port","protocol"] + "required": ["ip_src_addr", "ip_dst_addr", "ip_src_port", "ip_dst_port","protocol","original_string","key","timestamp"] } \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicFireEyeParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicFireEyeParserTest.config new file mode 100644 index 0000000000..8073cec2c0 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicFireEyeParserTest.config @@ -0,0 +1,2 @@ +#BasicFireEyeParserTestConfig +logFile=src/test/resources/FireEyeParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicIseParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicIseParserTest.config new file mode 100644 index 0000000000..ac158a5c05 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicIseParserTest.config @@ -0,0 +1,2 @@ +#IseParserTestConfig +logFile=src/test/resources/IseParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicLancopeParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicLancopeParserTest.config new file mode 100644 index 0000000000..edafc562e6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicLancopeParserTest.config @@ -0,0 +1,2 @@ +#LancopeParserTestConfig +logFile=src/test/resources/LancopeParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicPaloAltoFirewallParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicPaloAltoFirewallParserTest.config new file mode 100644 index 0000000000..613c3149e6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicPaloAltoFirewallParserTest.config @@ -0,0 +1,2 @@ +#BasicFireEyeParserTestConfig +logFile=src/test/resources/PaloAltoFirewallParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicSourcefireParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicSourcefireParserTest.config new file mode 100644 index 0000000000..556a54c430 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BasicSourcefireParserTest.config @@ -0,0 +1,2 @@ +#BasicSourceFileParserTestConfig +logFile=src/test/resources/SourceFireTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BroParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BroParserTest.config new file mode 100644 index 0000000000..c50743c336 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/BroParserTest.config @@ -0,0 +1,2 @@ +#BroParserTestConfig +logFile=src/test/resources/BroParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/GrokAsaParserTest.config b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/GrokAsaParserTest.config new file mode 100644 index 0000000000..2f412100a6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/config/GrokAsaParserTest.config @@ -0,0 +1,2 @@ +#GrokParserTestConfig +logFile=src/test/resources/GrokParserTest.log diff --git a/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/effective_tld_names.dat b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/effective_tld_names.dat new file mode 100644 index 0000000000..36e5d4c1c8 --- /dev/null +++ b/opensoc-streaming/OpenSOC-MessageParsers/src/test/resources/effective_tld_names.dat @@ -0,0 +1,9719 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// ===BEGIN ICANN DOMAINS=== + +// ac : http://en.wikipedia.org/wiki/.ac +ac +com.ac +edu.ac +gov.ac +net.ac +mil.ac +org.ac + +// ad : http://en.wikipedia.org/wiki/.ad +ad +nom.ad + +// ae : http://en.wikipedia.org/wiki/.ae +// see also: "Domain Name Eligibility Policy" at http://www.aeda.ae/eng/aepolicy.php +ae +co.ae +net.ae +org.ae +sch.ae +ac.ae +gov.ae +mil.ae + +// aero : see http://www.information.aero/index.php?id=66 +aero +accident-investigation.aero +accident-prevention.aero +aerobatic.aero +aeroclub.aero +aerodrome.aero +agents.aero +aircraft.aero +airline.aero +airport.aero +air-surveillance.aero +airtraffic.aero +air-traffic-control.aero +ambulance.aero +amusement.aero +association.aero +author.aero +ballooning.aero +broker.aero +caa.aero +cargo.aero +catering.aero +certification.aero +championship.aero +charter.aero +civilaviation.aero +club.aero +conference.aero +consultant.aero +consulting.aero +control.aero +council.aero +crew.aero +design.aero +dgca.aero +educator.aero +emergency.aero +engine.aero +engineer.aero +entertainment.aero +equipment.aero +exchange.aero +express.aero +federation.aero +flight.aero +freight.aero +fuel.aero +gliding.aero +government.aero +groundhandling.aero +group.aero +hanggliding.aero +homebuilt.aero +insurance.aero +journal.aero +journalist.aero +leasing.aero +logistics.aero +magazine.aero +maintenance.aero +marketplace.aero +media.aero +microlight.aero +modelling.aero +navigation.aero +parachuting.aero +paragliding.aero +passenger-association.aero +pilot.aero +press.aero +production.aero +recreation.aero +repbody.aero +res.aero +research.aero +rotorcraft.aero +safety.aero +scientist.aero +services.aero +show.aero +skydiving.aero +software.aero +student.aero +taxi.aero +trader.aero +trading.aero +trainer.aero +union.aero +workinggroup.aero +works.aero + +// af : http://www.nic.af/help.jsp +af +gov.af +com.af +org.af +net.af +edu.af + +// ag : http://www.nic.ag/prices.htm +ag +com.ag +org.ag +net.ag +co.ag +nom.ag + +// ai : http://nic.com.ai/ +ai +off.ai +com.ai +net.ai +org.ai + +// al : http://www.ert.gov.al/ert_alb/faq_det.html?Id=31 +al +com.al +edu.al +gov.al +mil.al +net.al +org.al + +// am : http://en.wikipedia.org/wiki/.am +am + +// an : http://www.una.an/an_domreg/default.asp +an +com.an +net.an +org.an +edu.an + +// ao : http://en.wikipedia.org/wiki/.ao +// http://www.dns.ao/REGISTR.DOC +ao +ed.ao +gv.ao +og.ao +co.ao +pb.ao +it.ao + +// aq : http://en.wikipedia.org/wiki/.aq +aq + +// ar : https://nic.ar/normativa-vigente.xhtml +ar +com.ar +edu.ar +gob.ar +gov.ar +int.ar +mil.ar +net.ar +org.ar +tur.ar + +// arpa : http://en.wikipedia.org/wiki/.arpa +// Confirmed by registry 2008-06-18 +arpa +e164.arpa +in-addr.arpa +ip6.arpa +iris.arpa +uri.arpa +urn.arpa + +// as : http://en.wikipedia.org/wiki/.as +as +gov.as + +// asia : http://en.wikipedia.org/wiki/.asia +asia + +// at : http://en.wikipedia.org/wiki/.at +// Confirmed by registry 2008-06-17 +at +ac.at +co.at +gv.at +or.at + +// au : http://en.wikipedia.org/wiki/.au +// http://www.auda.org.au/ +au +// 2LDs +com.au +net.au +org.au +edu.au +gov.au +asn.au +id.au +// Historic 2LDs (closed to new registration, but sites still exist) +info.au +conf.au +oz.au +// CGDNs - http://www.cgdn.org.au/ +act.au +nsw.au +nt.au +qld.au +sa.au +tas.au +vic.au +wa.au +// 3LDs +act.edu.au +nsw.edu.au +nt.edu.au +qld.edu.au +sa.edu.au +tas.edu.au +vic.edu.au +wa.edu.au +// act.gov.au Bug 984824 - Removed at request of Greg Tankard +// nsw.gov.au Bug 547985 - Removed at request of +// nt.gov.au Bug 940478 - Removed at request of Greg Connors +qld.gov.au +sa.gov.au +tas.gov.au +vic.gov.au +wa.gov.au + +// aw : http://en.wikipedia.org/wiki/.aw +aw +com.aw + +// ax : http://en.wikipedia.org/wiki/.ax +ax + +// az : http://en.wikipedia.org/wiki/.az +az +com.az +net.az +int.az +gov.az +org.az +edu.az +info.az +pp.az +mil.az +name.az +pro.az +biz.az + +// ba : http://en.wikipedia.org/wiki/.ba +ba +org.ba +net.ba +edu.ba +gov.ba +mil.ba +unsa.ba +unbi.ba +co.ba +com.ba +rs.ba + +// bb : http://en.wikipedia.org/wiki/.bb +bb +biz.bb +co.bb +com.bb +edu.bb +gov.bb +info.bb +net.bb +org.bb +store.bb +tv.bb + +// bd : http://en.wikipedia.org/wiki/.bd +*.bd + +// be : http://en.wikipedia.org/wiki/.be +// Confirmed by registry 2008-06-08 +be +ac.be + +// bf : http://en.wikipedia.org/wiki/.bf +bf +gov.bf + +// bg : http://en.wikipedia.org/wiki/.bg +// https://www.register.bg/user/static/rules/en/index.html +bg +a.bg +b.bg +c.bg +d.bg +e.bg +f.bg +g.bg +h.bg +i.bg +j.bg +k.bg +l.bg +m.bg +n.bg +o.bg +p.bg +q.bg +r.bg +s.bg +t.bg +u.bg +v.bg +w.bg +x.bg +y.bg +z.bg +0.bg +1.bg +2.bg +3.bg +4.bg +5.bg +6.bg +7.bg +8.bg +9.bg + +// bh : http://en.wikipedia.org/wiki/.bh +bh +com.bh +edu.bh +net.bh +org.bh +gov.bh + +// bi : http://en.wikipedia.org/wiki/.bi +// http://whois.nic.bi/ +bi +co.bi +com.bi +edu.bi +or.bi +org.bi + +// biz : http://en.wikipedia.org/wiki/.biz +biz + +// bj : http://en.wikipedia.org/wiki/.bj +bj +asso.bj +barreau.bj +gouv.bj + +// bm : http://www.bermudanic.bm/dnr-text.txt +bm +com.bm +edu.bm +gov.bm +net.bm +org.bm + +// bn : http://en.wikipedia.org/wiki/.bn +*.bn + +// bo : http://www.nic.bo/ +bo +com.bo +edu.bo +gov.bo +gob.bo +int.bo +org.bo +net.bo +mil.bo +tv.bo + +// br : http://registro.br/dominio/categoria.html +// Submitted by registry 2014-08-11 +br +adm.br +adv.br +agr.br +am.br +arq.br +art.br +ato.br +b.br +bio.br +blog.br +bmd.br +cim.br +cng.br +cnt.br +com.br +coop.br +ecn.br +eco.br +edu.br +emp.br +eng.br +esp.br +etc.br +eti.br +far.br +flog.br +fm.br +fnd.br +fot.br +fst.br +g12.br +ggf.br +gov.br +imb.br +ind.br +inf.br +jor.br +jus.br +leg.br +lel.br +mat.br +med.br +mil.br +mp.br +mus.br +net.br +*.nom.br +not.br +ntr.br +odo.br +org.br +ppg.br +pro.br +psc.br +psi.br +qsl.br +radio.br +rec.br +slg.br +srv.br +taxi.br +teo.br +tmp.br +trd.br +tur.br +tv.br +vet.br +vlog.br +wiki.br +zlg.br + +// bs : http://www.nic.bs/rules.html +bs +com.bs +net.bs +org.bs +edu.bs +gov.bs + +// bt : http://en.wikipedia.org/wiki/.bt +bt +com.bt +edu.bt +gov.bt +net.bt +org.bt + +// bv : No registrations at this time. +// Submitted by registry 2006-06-16 +bv + +// bw : http://en.wikipedia.org/wiki/.bw +// http://www.gobin.info/domainname/bw.doc +// list of other 2nd level tlds ? +bw +co.bw +org.bw + +// by : http://en.wikipedia.org/wiki/.by +// http://tld.by/rules_2006_en.html +// list of other 2nd level tlds ? +by +gov.by +mil.by +// Official information does not indicate that com.by is a reserved +// second-level domain, but it's being used as one (see www.google.com.by and +// www.yahoo.com.by, for example), so we list it here for safety's sake. +com.by + +// http://hoster.by/ +of.by + +// bz : http://en.wikipedia.org/wiki/.bz +// http://www.belizenic.bz/ +bz +com.bz +net.bz +org.bz +edu.bz +gov.bz + +// ca : http://en.wikipedia.org/wiki/.ca +ca +// ca geographical names +ab.ca +bc.ca +mb.ca +nb.ca +nf.ca +nl.ca +ns.ca +nt.ca +nu.ca +on.ca +pe.ca +qc.ca +sk.ca +yk.ca +// gc.ca: http://en.wikipedia.org/wiki/.gc.ca +// see also: http://registry.gc.ca/en/SubdomainFAQ +gc.ca + +// cat : http://en.wikipedia.org/wiki/.cat +cat + +// cc : http://en.wikipedia.org/wiki/.cc +cc + +// cd : http://en.wikipedia.org/wiki/.cd +// see also: https://www.nic.cd/domain/insertDomain_2.jsp?act=1 +cd +gov.cd + +// cf : http://en.wikipedia.org/wiki/.cf +cf + +// cg : http://en.wikipedia.org/wiki/.cg +cg + +// ch : http://en.wikipedia.org/wiki/.ch +ch + +// ci : http://en.wikipedia.org/wiki/.ci +// http://www.nic.ci/index.php?page=charte +ci +org.ci +or.ci +com.ci +co.ci +edu.ci +ed.ci +ac.ci +net.ci +go.ci +asso.ci +aéroport.ci +int.ci +presse.ci +md.ci +gouv.ci + +// ck : http://en.wikipedia.org/wiki/.ck +*.ck +!www.ck + +// cl : http://en.wikipedia.org/wiki/.cl +cl +gov.cl +gob.cl +co.cl +mil.cl + +// cm : http://en.wikipedia.org/wiki/.cm plus bug 981927 +cm +co.cm +com.cm +gov.cm +net.cm + +// cn : http://en.wikipedia.org/wiki/.cn +// Submitted by registry 2008-06-11 +cn +ac.cn +com.cn +edu.cn +gov.cn +net.cn +org.cn +mil.cn +公司.cn +网络.cn +網絡.cn +// cn geographic names +ah.cn +bj.cn +cq.cn +fj.cn +gd.cn +gs.cn +gz.cn +gx.cn +ha.cn +hb.cn +he.cn +hi.cn +hl.cn +hn.cn +jl.cn +js.cn +jx.cn +ln.cn +nm.cn +nx.cn +qh.cn +sc.cn +sd.cn +sh.cn +sn.cn +sx.cn +tj.cn +xj.cn +xz.cn +yn.cn +zj.cn +hk.cn +mo.cn +tw.cn + +// co : http://en.wikipedia.org/wiki/.co +// Submitted by registry 2008-06-11 +co +arts.co +com.co +edu.co +firm.co +gov.co +info.co +int.co +mil.co +net.co +nom.co +org.co +rec.co +web.co + +// com : http://en.wikipedia.org/wiki/.com +com + +// coop : http://en.wikipedia.org/wiki/.coop +coop + +// cr : http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do +cr +ac.cr +co.cr +ed.cr +fi.cr +go.cr +or.cr +sa.cr + +// cu : http://en.wikipedia.org/wiki/.cu +cu +com.cu +edu.cu +org.cu +net.cu +gov.cu +inf.cu + +// cv : http://en.wikipedia.org/wiki/.cv +cv + +// cw : http://www.una.cw/cw_registry/ +// Confirmed by registry 2013-03-26 +cw +com.cw +edu.cw +net.cw +org.cw + +// cx : http://en.wikipedia.org/wiki/.cx +// list of other 2nd level tlds ? +cx +gov.cx + +// cy : http://en.wikipedia.org/wiki/.cy +*.cy + +// cz : http://en.wikipedia.org/wiki/.cz +cz + +// de : http://en.wikipedia.org/wiki/.de +// Confirmed by registry (with technical +// reservations) 2008-07-01 +de + +// dj : http://en.wikipedia.org/wiki/.dj +dj + +// dk : http://en.wikipedia.org/wiki/.dk +// Confirmed by registry 2008-06-17 +dk + +// dm : http://en.wikipedia.org/wiki/.dm +dm +com.dm +net.dm +org.dm +edu.dm +gov.dm + +// do : http://en.wikipedia.org/wiki/.do +do +art.do +com.do +edu.do +gob.do +gov.do +mil.do +net.do +org.do +sld.do +web.do + +// dz : http://en.wikipedia.org/wiki/.dz +dz +com.dz +org.dz +net.dz +gov.dz +edu.dz +asso.dz +pol.dz +art.dz + +// ec : http://www.nic.ec/reg/paso1.asp +// Submitted by registry 2008-07-04 +ec +com.ec +info.ec +net.ec +fin.ec +k12.ec +med.ec +pro.ec +org.ec +edu.ec +gov.ec +gob.ec +mil.ec + +// edu : http://en.wikipedia.org/wiki/.edu +edu + +// ee : http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B +ee +edu.ee +gov.ee +riik.ee +lib.ee +med.ee +com.ee +pri.ee +aip.ee +org.ee +fie.ee + +// eg : http://en.wikipedia.org/wiki/.eg +eg +com.eg +edu.eg +eun.eg +gov.eg +mil.eg +name.eg +net.eg +org.eg +sci.eg + +// er : http://en.wikipedia.org/wiki/.er +*.er + +// es : https://www.nic.es/site_ingles/ingles/dominios/index.html +es +com.es +nom.es +org.es +gob.es +edu.es + +// et : http://en.wikipedia.org/wiki/.et +et +com.et +gov.et +org.et +edu.et +biz.et +name.et +info.et + +// eu : http://en.wikipedia.org/wiki/.eu +eu + +// fi : http://en.wikipedia.org/wiki/.fi +fi +// aland.fi : http://en.wikipedia.org/wiki/.ax +// This domain is being phased out in favor of .ax. As there are still many +// domains under aland.fi, we still keep it on the list until aland.fi is +// completely removed. +// TODO: Check for updates (expected to be phased out around Q1/2009) +aland.fi + +// fj : http://en.wikipedia.org/wiki/.fj +*.fj + +// fk : http://en.wikipedia.org/wiki/.fk +*.fk + +// fm : http://en.wikipedia.org/wiki/.fm +fm + +// fo : http://en.wikipedia.org/wiki/.fo +fo + +// fr : http://www.afnic.fr/ +// domaines descriptifs : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-descriptifs +fr +com.fr +asso.fr +nom.fr +prd.fr +presse.fr +tm.fr +// domaines sectoriels : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-sectoriels +aeroport.fr +assedic.fr +avocat.fr +avoues.fr +cci.fr +chambagri.fr +chirurgiens-dentistes.fr +experts-comptables.fr +geometre-expert.fr +gouv.fr +greta.fr +huissier-justice.fr +medecin.fr +notaires.fr +pharmacien.fr +port.fr +veterinaire.fr + +// ga : http://en.wikipedia.org/wiki/.ga +ga + +// gb : This registry is effectively dormant +// Submitted by registry 2008-06-12 +gb + +// gd : http://en.wikipedia.org/wiki/.gd +gd + +// ge : http://www.nic.net.ge/policy_en.pdf +ge +com.ge +edu.ge +gov.ge +org.ge +mil.ge +net.ge +pvt.ge + +// gf : http://en.wikipedia.org/wiki/.gf +gf + +// gg : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +gg +co.gg +net.gg +org.gg + +// gh : http://en.wikipedia.org/wiki/.gh +// see also: http://www.nic.gh/reg_now.php +// Although domains directly at second level are not possible at the moment, +// they have been possible for some time and may come back. +gh +com.gh +edu.gh +gov.gh +org.gh +mil.gh + +// gi : http://www.nic.gi/rules.html +gi +com.gi +ltd.gi +gov.gi +mod.gi +edu.gi +org.gi + +// gl : http://en.wikipedia.org/wiki/.gl +// http://nic.gl +gl + +// gm : http://www.nic.gm/htmlpages%5Cgm-policy.htm +gm + +// gn : http://psg.com/dns/gn/gn.txt +// Submitted by registry 2008-06-17 +gn +ac.gn +com.gn +edu.gn +gov.gn +org.gn +net.gn + +// gov : http://en.wikipedia.org/wiki/.gov +gov + +// gp : http://www.nic.gp/index.php?lang=en +gp +com.gp +net.gp +mobi.gp +edu.gp +org.gp +asso.gp + +// gq : http://en.wikipedia.org/wiki/.gq +gq + +// gr : https://grweb.ics.forth.gr/english/1617-B-2005.html +// Submitted by registry 2008-06-09 +gr +com.gr +edu.gr +net.gr +org.gr +gov.gr + +// gs : http://en.wikipedia.org/wiki/.gs +gs + +// gt : http://www.gt/politicas_de_registro.html +gt +com.gt +edu.gt +gob.gt +ind.gt +mil.gt +net.gt +org.gt + +// gu : http://gadao.gov.gu/registration.txt +*.gu + +// gw : http://en.wikipedia.org/wiki/.gw +gw + +// gy : http://en.wikipedia.org/wiki/.gy +// http://registry.gy/ +gy +co.gy +com.gy +net.gy + +// hk : https://www.hkdnr.hk +// Submitted by registry 2008-06-11 +hk +com.hk +edu.hk +gov.hk +idv.hk +net.hk +org.hk +公司.hk +教育.hk +敎育.hk +政府.hk +個人.hk +个人.hk +箇人.hk +網络.hk +网络.hk +组織.hk +網絡.hk +网絡.hk +组织.hk +組織.hk +組织.hk + +// hm : http://en.wikipedia.org/wiki/.hm +hm + +// hn : http://www.nic.hn/politicas/ps02,,05.html +hn +com.hn +edu.hn +org.hn +net.hn +mil.hn +gob.hn + +// hr : http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf +hr +iz.hr +from.hr +name.hr +com.hr + +// ht : http://www.nic.ht/info/charte.cfm +ht +com.ht +shop.ht +firm.ht +info.ht +adult.ht +net.ht +pro.ht +org.ht +med.ht +art.ht +coop.ht +pol.ht +asso.ht +edu.ht +rel.ht +gouv.ht +perso.ht + +// hu : http://www.domain.hu/domain/English/sld.html +// Confirmed by registry 2008-06-12 +hu +co.hu +info.hu +org.hu +priv.hu +sport.hu +tm.hu +2000.hu +agrar.hu +bolt.hu +casino.hu +city.hu +erotica.hu +erotika.hu +film.hu +forum.hu +games.hu +hotel.hu +ingatlan.hu +jogasz.hu +konyvelo.hu +lakas.hu +media.hu +news.hu +reklam.hu +sex.hu +shop.hu +suli.hu +szex.hu +tozsde.hu +utazas.hu +video.hu + +// id : https://register.pandi.or.id/ +id +ac.id +biz.id +co.id +desa.id +go.id +mil.id +my.id +net.id +or.id +sch.id +web.id + +// ie : http://en.wikipedia.org/wiki/.ie +ie +gov.ie + +// il : http://en.wikipedia.org/wiki/.il +*.il + +// im : https://www.nic.im/ +// Submitted by registry 2013-11-15 +im +ac.im +co.im +com.im +ltd.co.im +net.im +org.im +plc.co.im +tt.im +tv.im + +// in : http://en.wikipedia.org/wiki/.in +// see also: https://registry.in/Policies +// Please note, that nic.in is not an offical eTLD, but used by most +// government institutions. +in +co.in +firm.in +net.in +org.in +gen.in +ind.in +nic.in +ac.in +edu.in +res.in +gov.in +mil.in + +// info : http://en.wikipedia.org/wiki/.info +info + +// int : http://en.wikipedia.org/wiki/.int +// Confirmed by registry 2008-06-18 +int +eu.int + +// io : http://www.nic.io/rules.html +// list of other 2nd level tlds ? +io +com.io + +// iq : http://www.cmc.iq/english/iq/iqregister1.htm +iq +gov.iq +edu.iq +mil.iq +com.iq +org.iq +net.iq + +// ir : http://www.nic.ir/Terms_and_Conditions_ir,_Appendix_1_Domain_Rules +// Also see http://www.nic.ir/Internationalized_Domain_Names +// Two .ir entries added at request of , 2010-04-16 +ir +ac.ir +co.ir +gov.ir +id.ir +net.ir +org.ir +sch.ir +// xn--mgba3a4f16a.ir (.ir, Persian YEH) +ایران.ir +// xn--mgba3a4fra.ir (.ir, Arabic YEH) +ايران.ir + +// is : http://www.isnic.is/domain/rules.php +// Confirmed by registry 2008-12-06 +is +net.is +com.is +edu.is +gov.is +org.is +int.is + +// it : http://en.wikipedia.org/wiki/.it +it +gov.it +edu.it +// Reserved geo-names: +// http://www.nic.it/documenti/regolamenti-e-linee-guida/regolamento-assegnazione-versione-6.0.pdf +// There is also a list of reserved geo-names corresponding to Italian municipalities +// http://www.nic.it/documenti/appendice-c.pdf, but it is not included here. +// Regions +abr.it +abruzzo.it +aosta-valley.it +aostavalley.it +bas.it +basilicata.it +cal.it +calabria.it +cam.it +campania.it +emilia-romagna.it +emiliaromagna.it +emr.it +friuli-v-giulia.it +friuli-ve-giulia.it +friuli-vegiulia.it +friuli-venezia-giulia.it +friuli-veneziagiulia.it +friuli-vgiulia.it +friuliv-giulia.it +friulive-giulia.it +friulivegiulia.it +friulivenezia-giulia.it +friuliveneziagiulia.it +friulivgiulia.it +fvg.it +laz.it +lazio.it +lig.it +liguria.it +lom.it +lombardia.it +lombardy.it +lucania.it +mar.it +marche.it +mol.it +molise.it +piedmont.it +piemonte.it +pmn.it +pug.it +puglia.it +sar.it +sardegna.it +sardinia.it +sic.it +sicilia.it +sicily.it +taa.it +tos.it +toscana.it +trentino-a-adige.it +trentino-aadige.it +trentino-alto-adige.it +trentino-altoadige.it +trentino-s-tirol.it +trentino-stirol.it +trentino-sud-tirol.it +trentino-sudtirol.it +trentino-sued-tirol.it +trentino-suedtirol.it +trentinoa-adige.it +trentinoaadige.it +trentinoalto-adige.it +trentinoaltoadige.it +trentinos-tirol.it +trentinostirol.it +trentinosud-tirol.it +trentinosudtirol.it +trentinosued-tirol.it +trentinosuedtirol.it +tuscany.it +umb.it +umbria.it +val-d-aosta.it +val-daosta.it +vald-aosta.it +valdaosta.it +valle-aosta.it +valle-d-aosta.it +valle-daosta.it +valleaosta.it +valled-aosta.it +valledaosta.it +vallee-aoste.it +valleeaoste.it +vao.it +vda.it +ven.it +veneto.it +// Provinces +ag.it +agrigento.it +al.it +alessandria.it +alto-adige.it +altoadige.it +an.it +ancona.it +andria-barletta-trani.it +andria-trani-barletta.it +andriabarlettatrani.it +andriatranibarletta.it +ao.it +aosta.it +aoste.it +ap.it +aq.it +aquila.it +ar.it +arezzo.it +ascoli-piceno.it +ascolipiceno.it +asti.it +at.it +av.it +avellino.it +ba.it +balsan.it +bari.it +barletta-trani-andria.it +barlettatraniandria.it +belluno.it +benevento.it +bergamo.it +bg.it +bi.it +biella.it +bl.it +bn.it +bo.it +bologna.it +bolzano.it +bozen.it +br.it +brescia.it +brindisi.it +bs.it +bt.it +bz.it +ca.it +cagliari.it +caltanissetta.it +campidano-medio.it +campidanomedio.it +campobasso.it +carbonia-iglesias.it +carboniaiglesias.it +carrara-massa.it +carraramassa.it +caserta.it +catania.it +catanzaro.it +cb.it +ce.it +cesena-forli.it +cesenaforli.it +ch.it +chieti.it +ci.it +cl.it +cn.it +co.it +como.it +cosenza.it +cr.it +cremona.it +crotone.it +cs.it +ct.it +cuneo.it +cz.it +dell-ogliastra.it +dellogliastra.it +en.it +enna.it +fc.it +fe.it +fermo.it +ferrara.it +fg.it +fi.it +firenze.it +florence.it +fm.it +foggia.it +forli-cesena.it +forlicesena.it +fr.it +frosinone.it +ge.it +genoa.it +genova.it +go.it +gorizia.it +gr.it +grosseto.it +iglesias-carbonia.it +iglesiascarbonia.it +im.it +imperia.it +is.it +isernia.it +kr.it +la-spezia.it +laquila.it +laspezia.it +latina.it +lc.it +le.it +lecce.it +lecco.it +li.it +livorno.it +lo.it +lodi.it +lt.it +lu.it +lucca.it +macerata.it +mantova.it +massa-carrara.it +massacarrara.it +matera.it +mb.it +mc.it +me.it +medio-campidano.it +mediocampidano.it +messina.it +mi.it +milan.it +milano.it +mn.it +mo.it +modena.it +monza-brianza.it +monza-e-della-brianza.it +monza.it +monzabrianza.it +monzaebrianza.it +monzaedellabrianza.it +ms.it +mt.it +na.it +naples.it +napoli.it +no.it +novara.it +nu.it +nuoro.it +og.it +ogliastra.it +olbia-tempio.it +olbiatempio.it +or.it +oristano.it +ot.it +pa.it +padova.it +padua.it +palermo.it +parma.it +pavia.it +pc.it +pd.it +pe.it +perugia.it +pesaro-urbino.it +pesarourbino.it +pescara.it +pg.it +pi.it +piacenza.it +pisa.it +pistoia.it +pn.it +po.it +pordenone.it +potenza.it +pr.it +prato.it +pt.it +pu.it +pv.it +pz.it +ra.it +ragusa.it +ravenna.it +rc.it +re.it +reggio-calabria.it +reggio-emilia.it +reggiocalabria.it +reggioemilia.it +rg.it +ri.it +rieti.it +rimini.it +rm.it +rn.it +ro.it +roma.it +rome.it +rovigo.it +sa.it +salerno.it +sassari.it +savona.it +si.it +siena.it +siracusa.it +so.it +sondrio.it +sp.it +sr.it +ss.it +suedtirol.it +sv.it +ta.it +taranto.it +te.it +tempio-olbia.it +tempioolbia.it +teramo.it +terni.it +tn.it +to.it +torino.it +tp.it +tr.it +trani-andria-barletta.it +trani-barletta-andria.it +traniandriabarletta.it +tranibarlettaandria.it +trapani.it +trentino.it +trento.it +treviso.it +trieste.it +ts.it +turin.it +tv.it +ud.it +udine.it +urbino-pesaro.it +urbinopesaro.it +va.it +varese.it +vb.it +vc.it +ve.it +venezia.it +venice.it +verbania.it +vercelli.it +verona.it +vi.it +vibo-valentia.it +vibovalentia.it +vicenza.it +viterbo.it +vr.it +vs.it +vt.it +vv.it + +// je : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +je +co.je +net.je +org.je + +// jm : http://www.com.jm/register.html +*.jm + +// jo : http://www.dns.jo/Registration_policy.aspx +jo +com.jo +org.jo +net.jo +edu.jo +sch.jo +gov.jo +mil.jo +name.jo + +// jobs : http://en.wikipedia.org/wiki/.jobs +jobs + +// jp : http://en.wikipedia.org/wiki/.jp +// http://jprs.co.jp/en/jpdomain.html +// Submitted by registry 2014-10-30 +jp +// jp organizational type names +ac.jp +ad.jp +co.jp +ed.jp +go.jp +gr.jp +lg.jp +ne.jp +or.jp +// jp prefecture type names +aichi.jp +akita.jp +aomori.jp +chiba.jp +ehime.jp +fukui.jp +fukuoka.jp +fukushima.jp +gifu.jp +gunma.jp +hiroshima.jp +hokkaido.jp +hyogo.jp +ibaraki.jp +ishikawa.jp +iwate.jp +kagawa.jp +kagoshima.jp +kanagawa.jp +kochi.jp +kumamoto.jp +kyoto.jp +mie.jp +miyagi.jp +miyazaki.jp +nagano.jp +nagasaki.jp +nara.jp +niigata.jp +oita.jp +okayama.jp +okinawa.jp +osaka.jp +saga.jp +saitama.jp +shiga.jp +shimane.jp +shizuoka.jp +tochigi.jp +tokushima.jp +tokyo.jp +tottori.jp +toyama.jp +wakayama.jp +yamagata.jp +yamaguchi.jp +yamanashi.jp +栃木.jp +愛知.jp +愛媛.jp +兵庫.jp +熊本.jp +茨城.jp +北海道.jp +千葉.jp +和歌山.jp +長崎.jp +長野.jp +新潟.jp +青森.jp +静岡.jp +東京.jp +石川.jp +埼玉.jp +三重.jp +京都.jp +佐賀.jp +大分.jp +大阪.jp +奈良.jp +宮城.jp +宮崎.jp +富山.jp +山口.jp +山形.jp +山梨.jp +岩手.jp +岐阜.jp +岡山.jp +島根.jp +広島.jp +徳島.jp +沖縄.jp +滋賀.jp +神奈川.jp +福井.jp +福岡.jp +福島.jp +秋田.jp +群馬.jp +香川.jp +高知.jp +鳥取.jp +鹿児島.jp +// jp geographic type names +// http://jprs.jp/doc/rule/saisoku-1.html +*.kawasaki.jp +*.kitakyushu.jp +*.kobe.jp +*.nagoya.jp +*.sapporo.jp +*.sendai.jp +*.yokohama.jp +!city.kawasaki.jp +!city.kitakyushu.jp +!city.kobe.jp +!city.nagoya.jp +!city.sapporo.jp +!city.sendai.jp +!city.yokohama.jp +// 4th level registration +aisai.aichi.jp +ama.aichi.jp +anjo.aichi.jp +asuke.aichi.jp +chiryu.aichi.jp +chita.aichi.jp +fuso.aichi.jp +gamagori.aichi.jp +handa.aichi.jp +hazu.aichi.jp +hekinan.aichi.jp +higashiura.aichi.jp +ichinomiya.aichi.jp +inazawa.aichi.jp +inuyama.aichi.jp +isshiki.aichi.jp +iwakura.aichi.jp +kanie.aichi.jp +kariya.aichi.jp +kasugai.aichi.jp +kira.aichi.jp +kiyosu.aichi.jp +komaki.aichi.jp +konan.aichi.jp +kota.aichi.jp +mihama.aichi.jp +miyoshi.aichi.jp +nishio.aichi.jp +nisshin.aichi.jp +obu.aichi.jp +oguchi.aichi.jp +oharu.aichi.jp +okazaki.aichi.jp +owariasahi.aichi.jp +seto.aichi.jp +shikatsu.aichi.jp +shinshiro.aichi.jp +shitara.aichi.jp +tahara.aichi.jp +takahama.aichi.jp +tobishima.aichi.jp +toei.aichi.jp +togo.aichi.jp +tokai.aichi.jp +tokoname.aichi.jp +toyoake.aichi.jp +toyohashi.aichi.jp +toyokawa.aichi.jp +toyone.aichi.jp +toyota.aichi.jp +tsushima.aichi.jp +yatomi.aichi.jp +akita.akita.jp +daisen.akita.jp +fujisato.akita.jp +gojome.akita.jp +hachirogata.akita.jp +happou.akita.jp +higashinaruse.akita.jp +honjo.akita.jp +honjyo.akita.jp +ikawa.akita.jp +kamikoani.akita.jp +kamioka.akita.jp +katagami.akita.jp +kazuno.akita.jp +kitaakita.akita.jp +kosaka.akita.jp +kyowa.akita.jp +misato.akita.jp +mitane.akita.jp +moriyoshi.akita.jp +nikaho.akita.jp +noshiro.akita.jp +odate.akita.jp +oga.akita.jp +ogata.akita.jp +semboku.akita.jp +yokote.akita.jp +yurihonjo.akita.jp +aomori.aomori.jp +gonohe.aomori.jp +hachinohe.aomori.jp +hashikami.aomori.jp +hiranai.aomori.jp +hirosaki.aomori.jp +itayanagi.aomori.jp +kuroishi.aomori.jp +misawa.aomori.jp +mutsu.aomori.jp +nakadomari.aomori.jp +noheji.aomori.jp +oirase.aomori.jp +owani.aomori.jp +rokunohe.aomori.jp +sannohe.aomori.jp +shichinohe.aomori.jp +shingo.aomori.jp +takko.aomori.jp +towada.aomori.jp +tsugaru.aomori.jp +tsuruta.aomori.jp +abiko.chiba.jp +asahi.chiba.jp +chonan.chiba.jp +chosei.chiba.jp +choshi.chiba.jp +chuo.chiba.jp +funabashi.chiba.jp +futtsu.chiba.jp +hanamigawa.chiba.jp +ichihara.chiba.jp +ichikawa.chiba.jp +ichinomiya.chiba.jp +inzai.chiba.jp +isumi.chiba.jp +kamagaya.chiba.jp +kamogawa.chiba.jp +kashiwa.chiba.jp +katori.chiba.jp +katsuura.chiba.jp +kimitsu.chiba.jp +kisarazu.chiba.jp +kozaki.chiba.jp +kujukuri.chiba.jp +kyonan.chiba.jp +matsudo.chiba.jp +midori.chiba.jp +mihama.chiba.jp +minamiboso.chiba.jp +mobara.chiba.jp +mutsuzawa.chiba.jp +nagara.chiba.jp +nagareyama.chiba.jp +narashino.chiba.jp +narita.chiba.jp +noda.chiba.jp +oamishirasato.chiba.jp +omigawa.chiba.jp +onjuku.chiba.jp +otaki.chiba.jp +sakae.chiba.jp +sakura.chiba.jp +shimofusa.chiba.jp +shirako.chiba.jp +shiroi.chiba.jp +shisui.chiba.jp +sodegaura.chiba.jp +sosa.chiba.jp +tako.chiba.jp +tateyama.chiba.jp +togane.chiba.jp +tohnosho.chiba.jp +tomisato.chiba.jp +urayasu.chiba.jp +yachimata.chiba.jp +yachiyo.chiba.jp +yokaichiba.chiba.jp +yokoshibahikari.chiba.jp +yotsukaido.chiba.jp +ainan.ehime.jp +honai.ehime.jp +ikata.ehime.jp +imabari.ehime.jp +iyo.ehime.jp +kamijima.ehime.jp +kihoku.ehime.jp +kumakogen.ehime.jp +masaki.ehime.jp +matsuno.ehime.jp +matsuyama.ehime.jp +namikata.ehime.jp +niihama.ehime.jp +ozu.ehime.jp +saijo.ehime.jp +seiyo.ehime.jp +shikokuchuo.ehime.jp +tobe.ehime.jp +toon.ehime.jp +uchiko.ehime.jp +uwajima.ehime.jp +yawatahama.ehime.jp +echizen.fukui.jp +eiheiji.fukui.jp +fukui.fukui.jp +ikeda.fukui.jp +katsuyama.fukui.jp +mihama.fukui.jp +minamiechizen.fukui.jp +obama.fukui.jp +ohi.fukui.jp +ono.fukui.jp +sabae.fukui.jp +sakai.fukui.jp +takahama.fukui.jp +tsuruga.fukui.jp +wakasa.fukui.jp +ashiya.fukuoka.jp +buzen.fukuoka.jp +chikugo.fukuoka.jp +chikuho.fukuoka.jp +chikujo.fukuoka.jp +chikushino.fukuoka.jp +chikuzen.fukuoka.jp +chuo.fukuoka.jp +dazaifu.fukuoka.jp +fukuchi.fukuoka.jp +hakata.fukuoka.jp +higashi.fukuoka.jp +hirokawa.fukuoka.jp +hisayama.fukuoka.jp +iizuka.fukuoka.jp +inatsuki.fukuoka.jp +kaho.fukuoka.jp +kasuga.fukuoka.jp +kasuya.fukuoka.jp +kawara.fukuoka.jp +keisen.fukuoka.jp +koga.fukuoka.jp +kurate.fukuoka.jp +kurogi.fukuoka.jp +kurume.fukuoka.jp +minami.fukuoka.jp +miyako.fukuoka.jp +miyama.fukuoka.jp +miyawaka.fukuoka.jp +mizumaki.fukuoka.jp +munakata.fukuoka.jp +nakagawa.fukuoka.jp +nakama.fukuoka.jp +nishi.fukuoka.jp +nogata.fukuoka.jp +ogori.fukuoka.jp +okagaki.fukuoka.jp +okawa.fukuoka.jp +oki.fukuoka.jp +omuta.fukuoka.jp +onga.fukuoka.jp +onojo.fukuoka.jp +oto.fukuoka.jp +saigawa.fukuoka.jp +sasaguri.fukuoka.jp +shingu.fukuoka.jp +shinyoshitomi.fukuoka.jp +shonai.fukuoka.jp +soeda.fukuoka.jp +sue.fukuoka.jp +tachiarai.fukuoka.jp +tagawa.fukuoka.jp +takata.fukuoka.jp +toho.fukuoka.jp +toyotsu.fukuoka.jp +tsuiki.fukuoka.jp +ukiha.fukuoka.jp +umi.fukuoka.jp +usui.fukuoka.jp +yamada.fukuoka.jp +yame.fukuoka.jp +yanagawa.fukuoka.jp +yukuhashi.fukuoka.jp +aizubange.fukushima.jp +aizumisato.fukushima.jp +aizuwakamatsu.fukushima.jp +asakawa.fukushima.jp +bandai.fukushima.jp +date.fukushima.jp +fukushima.fukushima.jp +furudono.fukushima.jp +futaba.fukushima.jp +hanawa.fukushima.jp +higashi.fukushima.jp +hirata.fukushima.jp +hirono.fukushima.jp +iitate.fukushima.jp +inawashiro.fukushima.jp +ishikawa.fukushima.jp +iwaki.fukushima.jp +izumizaki.fukushima.jp +kagamiishi.fukushima.jp +kaneyama.fukushima.jp +kawamata.fukushima.jp +kitakata.fukushima.jp +kitashiobara.fukushima.jp +koori.fukushima.jp +koriyama.fukushima.jp +kunimi.fukushima.jp +miharu.fukushima.jp +mishima.fukushima.jp +namie.fukushima.jp +nango.fukushima.jp +nishiaizu.fukushima.jp +nishigo.fukushima.jp +okuma.fukushima.jp +omotego.fukushima.jp +ono.fukushima.jp +otama.fukushima.jp +samegawa.fukushima.jp +shimogo.fukushima.jp +shirakawa.fukushima.jp +showa.fukushima.jp +soma.fukushima.jp +sukagawa.fukushima.jp +taishin.fukushima.jp +tamakawa.fukushima.jp +tanagura.fukushima.jp +tenei.fukushima.jp +yabuki.fukushima.jp +yamato.fukushima.jp +yamatsuri.fukushima.jp +yanaizu.fukushima.jp +yugawa.fukushima.jp +anpachi.gifu.jp +ena.gifu.jp +gifu.gifu.jp +ginan.gifu.jp +godo.gifu.jp +gujo.gifu.jp +hashima.gifu.jp +hichiso.gifu.jp +hida.gifu.jp +higashishirakawa.gifu.jp +ibigawa.gifu.jp +ikeda.gifu.jp +kakamigahara.gifu.jp +kani.gifu.jp +kasahara.gifu.jp +kasamatsu.gifu.jp +kawaue.gifu.jp +kitagata.gifu.jp +mino.gifu.jp +minokamo.gifu.jp +mitake.gifu.jp +mizunami.gifu.jp +motosu.gifu.jp +nakatsugawa.gifu.jp +ogaki.gifu.jp +sakahogi.gifu.jp +seki.gifu.jp +sekigahara.gifu.jp +shirakawa.gifu.jp +tajimi.gifu.jp +takayama.gifu.jp +tarui.gifu.jp +toki.gifu.jp +tomika.gifu.jp +wanouchi.gifu.jp +yamagata.gifu.jp +yaotsu.gifu.jp +yoro.gifu.jp +annaka.gunma.jp +chiyoda.gunma.jp +fujioka.gunma.jp +higashiagatsuma.gunma.jp +isesaki.gunma.jp +itakura.gunma.jp +kanna.gunma.jp +kanra.gunma.jp +katashina.gunma.jp +kawaba.gunma.jp +kiryu.gunma.jp +kusatsu.gunma.jp +maebashi.gunma.jp +meiwa.gunma.jp +midori.gunma.jp +minakami.gunma.jp +naganohara.gunma.jp +nakanojo.gunma.jp +nanmoku.gunma.jp +numata.gunma.jp +oizumi.gunma.jp +ora.gunma.jp +ota.gunma.jp +shibukawa.gunma.jp +shimonita.gunma.jp +shinto.gunma.jp +showa.gunma.jp +takasaki.gunma.jp +takayama.gunma.jp +tamamura.gunma.jp +tatebayashi.gunma.jp +tomioka.gunma.jp +tsukiyono.gunma.jp +tsumagoi.gunma.jp +ueno.gunma.jp +yoshioka.gunma.jp +asaminami.hiroshima.jp +daiwa.hiroshima.jp +etajima.hiroshima.jp +fuchu.hiroshima.jp +fukuyama.hiroshima.jp +hatsukaichi.hiroshima.jp +higashihiroshima.hiroshima.jp +hongo.hiroshima.jp +jinsekikogen.hiroshima.jp +kaita.hiroshima.jp +kui.hiroshima.jp +kumano.hiroshima.jp +kure.hiroshima.jp +mihara.hiroshima.jp +miyoshi.hiroshima.jp +naka.hiroshima.jp +onomichi.hiroshima.jp +osakikamijima.hiroshima.jp +otake.hiroshima.jp +saka.hiroshima.jp +sera.hiroshima.jp +seranishi.hiroshima.jp +shinichi.hiroshima.jp +shobara.hiroshima.jp +takehara.hiroshima.jp +abashiri.hokkaido.jp +abira.hokkaido.jp +aibetsu.hokkaido.jp +akabira.hokkaido.jp +akkeshi.hokkaido.jp +asahikawa.hokkaido.jp +ashibetsu.hokkaido.jp +ashoro.hokkaido.jp +assabu.hokkaido.jp +atsuma.hokkaido.jp +bibai.hokkaido.jp +biei.hokkaido.jp +bifuka.hokkaido.jp +bihoro.hokkaido.jp +biratori.hokkaido.jp +chippubetsu.hokkaido.jp +chitose.hokkaido.jp +date.hokkaido.jp +ebetsu.hokkaido.jp +embetsu.hokkaido.jp +eniwa.hokkaido.jp +erimo.hokkaido.jp +esan.hokkaido.jp +esashi.hokkaido.jp +fukagawa.hokkaido.jp +fukushima.hokkaido.jp +furano.hokkaido.jp +furubira.hokkaido.jp +haboro.hokkaido.jp +hakodate.hokkaido.jp +hamatonbetsu.hokkaido.jp +hidaka.hokkaido.jp +higashikagura.hokkaido.jp +higashikawa.hokkaido.jp +hiroo.hokkaido.jp +hokuryu.hokkaido.jp +hokuto.hokkaido.jp +honbetsu.hokkaido.jp +horokanai.hokkaido.jp +horonobe.hokkaido.jp +ikeda.hokkaido.jp +imakane.hokkaido.jp +ishikari.hokkaido.jp +iwamizawa.hokkaido.jp +iwanai.hokkaido.jp +kamifurano.hokkaido.jp +kamikawa.hokkaido.jp +kamishihoro.hokkaido.jp +kamisunagawa.hokkaido.jp +kamoenai.hokkaido.jp +kayabe.hokkaido.jp +kembuchi.hokkaido.jp +kikonai.hokkaido.jp +kimobetsu.hokkaido.jp +kitahiroshima.hokkaido.jp +kitami.hokkaido.jp +kiyosato.hokkaido.jp +koshimizu.hokkaido.jp +kunneppu.hokkaido.jp +kuriyama.hokkaido.jp +kuromatsunai.hokkaido.jp +kushiro.hokkaido.jp +kutchan.hokkaido.jp +kyowa.hokkaido.jp +mashike.hokkaido.jp +matsumae.hokkaido.jp +mikasa.hokkaido.jp +minamifurano.hokkaido.jp +mombetsu.hokkaido.jp +moseushi.hokkaido.jp +mukawa.hokkaido.jp +muroran.hokkaido.jp +naie.hokkaido.jp +nakagawa.hokkaido.jp +nakasatsunai.hokkaido.jp +nakatombetsu.hokkaido.jp +nanae.hokkaido.jp +nanporo.hokkaido.jp +nayoro.hokkaido.jp +nemuro.hokkaido.jp +niikappu.hokkaido.jp +niki.hokkaido.jp +nishiokoppe.hokkaido.jp +noboribetsu.hokkaido.jp +numata.hokkaido.jp +obihiro.hokkaido.jp +obira.hokkaido.jp +oketo.hokkaido.jp +okoppe.hokkaido.jp +otaru.hokkaido.jp +otobe.hokkaido.jp +otofuke.hokkaido.jp +otoineppu.hokkaido.jp +oumu.hokkaido.jp +ozora.hokkaido.jp +pippu.hokkaido.jp +rankoshi.hokkaido.jp +rebun.hokkaido.jp +rikubetsu.hokkaido.jp +rishiri.hokkaido.jp +rishirifuji.hokkaido.jp +saroma.hokkaido.jp +sarufutsu.hokkaido.jp +shakotan.hokkaido.jp +shari.hokkaido.jp +shibecha.hokkaido.jp +shibetsu.hokkaido.jp +shikabe.hokkaido.jp +shikaoi.hokkaido.jp +shimamaki.hokkaido.jp +shimizu.hokkaido.jp +shimokawa.hokkaido.jp +shinshinotsu.hokkaido.jp +shintoku.hokkaido.jp +shiranuka.hokkaido.jp +shiraoi.hokkaido.jp +shiriuchi.hokkaido.jp +sobetsu.hokkaido.jp +sunagawa.hokkaido.jp +taiki.hokkaido.jp +takasu.hokkaido.jp +takikawa.hokkaido.jp +takinoue.hokkaido.jp +teshikaga.hokkaido.jp +tobetsu.hokkaido.jp +tohma.hokkaido.jp +tomakomai.hokkaido.jp +tomari.hokkaido.jp +toya.hokkaido.jp +toyako.hokkaido.jp +toyotomi.hokkaido.jp +toyoura.hokkaido.jp +tsubetsu.hokkaido.jp +tsukigata.hokkaido.jp +urakawa.hokkaido.jp +urausu.hokkaido.jp +uryu.hokkaido.jp +utashinai.hokkaido.jp +wakkanai.hokkaido.jp +wassamu.hokkaido.jp +yakumo.hokkaido.jp +yoichi.hokkaido.jp +aioi.hyogo.jp +akashi.hyogo.jp +ako.hyogo.jp +amagasaki.hyogo.jp +aogaki.hyogo.jp +asago.hyogo.jp +ashiya.hyogo.jp +awaji.hyogo.jp +fukusaki.hyogo.jp +goshiki.hyogo.jp +harima.hyogo.jp +himeji.hyogo.jp +ichikawa.hyogo.jp +inagawa.hyogo.jp +itami.hyogo.jp +kakogawa.hyogo.jp +kamigori.hyogo.jp +kamikawa.hyogo.jp +kasai.hyogo.jp +kasuga.hyogo.jp +kawanishi.hyogo.jp +miki.hyogo.jp +minamiawaji.hyogo.jp +nishinomiya.hyogo.jp +nishiwaki.hyogo.jp +ono.hyogo.jp +sanda.hyogo.jp +sannan.hyogo.jp +sasayama.hyogo.jp +sayo.hyogo.jp +shingu.hyogo.jp +shinonsen.hyogo.jp +shiso.hyogo.jp +sumoto.hyogo.jp +taishi.hyogo.jp +taka.hyogo.jp +takarazuka.hyogo.jp +takasago.hyogo.jp +takino.hyogo.jp +tamba.hyogo.jp +tatsuno.hyogo.jp +toyooka.hyogo.jp +yabu.hyogo.jp +yashiro.hyogo.jp +yoka.hyogo.jp +yokawa.hyogo.jp +ami.ibaraki.jp +asahi.ibaraki.jp +bando.ibaraki.jp +chikusei.ibaraki.jp +daigo.ibaraki.jp +fujishiro.ibaraki.jp +hitachi.ibaraki.jp +hitachinaka.ibaraki.jp +hitachiomiya.ibaraki.jp +hitachiota.ibaraki.jp +ibaraki.ibaraki.jp +ina.ibaraki.jp +inashiki.ibaraki.jp +itako.ibaraki.jp +iwama.ibaraki.jp +joso.ibaraki.jp +kamisu.ibaraki.jp +kasama.ibaraki.jp +kashima.ibaraki.jp +kasumigaura.ibaraki.jp +koga.ibaraki.jp +miho.ibaraki.jp +mito.ibaraki.jp +moriya.ibaraki.jp +naka.ibaraki.jp +namegata.ibaraki.jp +oarai.ibaraki.jp +ogawa.ibaraki.jp +omitama.ibaraki.jp +ryugasaki.ibaraki.jp +sakai.ibaraki.jp +sakuragawa.ibaraki.jp +shimodate.ibaraki.jp +shimotsuma.ibaraki.jp +shirosato.ibaraki.jp +sowa.ibaraki.jp +suifu.ibaraki.jp +takahagi.ibaraki.jp +tamatsukuri.ibaraki.jp +tokai.ibaraki.jp +tomobe.ibaraki.jp +tone.ibaraki.jp +toride.ibaraki.jp +tsuchiura.ibaraki.jp +tsukuba.ibaraki.jp +uchihara.ibaraki.jp +ushiku.ibaraki.jp +yachiyo.ibaraki.jp +yamagata.ibaraki.jp +yawara.ibaraki.jp +yuki.ibaraki.jp +anamizu.ishikawa.jp +hakui.ishikawa.jp +hakusan.ishikawa.jp +kaga.ishikawa.jp +kahoku.ishikawa.jp +kanazawa.ishikawa.jp +kawakita.ishikawa.jp +komatsu.ishikawa.jp +nakanoto.ishikawa.jp +nanao.ishikawa.jp +nomi.ishikawa.jp +nonoichi.ishikawa.jp +noto.ishikawa.jp +shika.ishikawa.jp +suzu.ishikawa.jp +tsubata.ishikawa.jp +tsurugi.ishikawa.jp +uchinada.ishikawa.jp +wajima.ishikawa.jp +fudai.iwate.jp +fujisawa.iwate.jp +hanamaki.iwate.jp +hiraizumi.iwate.jp +hirono.iwate.jp +ichinohe.iwate.jp +ichinoseki.iwate.jp +iwaizumi.iwate.jp +iwate.iwate.jp +joboji.iwate.jp +kamaishi.iwate.jp +kanegasaki.iwate.jp +karumai.iwate.jp +kawai.iwate.jp +kitakami.iwate.jp +kuji.iwate.jp +kunohe.iwate.jp +kuzumaki.iwate.jp +miyako.iwate.jp +mizusawa.iwate.jp +morioka.iwate.jp +ninohe.iwate.jp +noda.iwate.jp +ofunato.iwate.jp +oshu.iwate.jp +otsuchi.iwate.jp +rikuzentakata.iwate.jp +shiwa.iwate.jp +shizukuishi.iwate.jp +sumita.iwate.jp +tanohata.iwate.jp +tono.iwate.jp +yahaba.iwate.jp +yamada.iwate.jp +ayagawa.kagawa.jp +higashikagawa.kagawa.jp +kanonji.kagawa.jp +kotohira.kagawa.jp +manno.kagawa.jp +marugame.kagawa.jp +mitoyo.kagawa.jp +naoshima.kagawa.jp +sanuki.kagawa.jp +tadotsu.kagawa.jp +takamatsu.kagawa.jp +tonosho.kagawa.jp +uchinomi.kagawa.jp +utazu.kagawa.jp +zentsuji.kagawa.jp +akune.kagoshima.jp +amami.kagoshima.jp +hioki.kagoshima.jp +isa.kagoshima.jp +isen.kagoshima.jp +izumi.kagoshima.jp +kagoshima.kagoshima.jp +kanoya.kagoshima.jp +kawanabe.kagoshima.jp +kinko.kagoshima.jp +kouyama.kagoshima.jp +makurazaki.kagoshima.jp +matsumoto.kagoshima.jp +minamitane.kagoshima.jp +nakatane.kagoshima.jp +nishinoomote.kagoshima.jp +satsumasendai.kagoshima.jp +soo.kagoshima.jp +tarumizu.kagoshima.jp +yusui.kagoshima.jp +aikawa.kanagawa.jp +atsugi.kanagawa.jp +ayase.kanagawa.jp +chigasaki.kanagawa.jp +ebina.kanagawa.jp +fujisawa.kanagawa.jp +hadano.kanagawa.jp +hakone.kanagawa.jp +hiratsuka.kanagawa.jp +isehara.kanagawa.jp +kaisei.kanagawa.jp +kamakura.kanagawa.jp +kiyokawa.kanagawa.jp +matsuda.kanagawa.jp +minamiashigara.kanagawa.jp +miura.kanagawa.jp +nakai.kanagawa.jp +ninomiya.kanagawa.jp +odawara.kanagawa.jp +oi.kanagawa.jp +oiso.kanagawa.jp +sagamihara.kanagawa.jp +samukawa.kanagawa.jp +tsukui.kanagawa.jp +yamakita.kanagawa.jp +yamato.kanagawa.jp +yokosuka.kanagawa.jp +yugawara.kanagawa.jp +zama.kanagawa.jp +zushi.kanagawa.jp +aki.kochi.jp +geisei.kochi.jp +hidaka.kochi.jp +higashitsuno.kochi.jp +ino.kochi.jp +kagami.kochi.jp +kami.kochi.jp +kitagawa.kochi.jp +kochi.kochi.jp +mihara.kochi.jp +motoyama.kochi.jp +muroto.kochi.jp +nahari.kochi.jp +nakamura.kochi.jp +nankoku.kochi.jp +nishitosa.kochi.jp +niyodogawa.kochi.jp +ochi.kochi.jp +okawa.kochi.jp +otoyo.kochi.jp +otsuki.kochi.jp +sakawa.kochi.jp +sukumo.kochi.jp +susaki.kochi.jp +tosa.kochi.jp +tosashimizu.kochi.jp +toyo.kochi.jp +tsuno.kochi.jp +umaji.kochi.jp +yasuda.kochi.jp +yusuhara.kochi.jp +amakusa.kumamoto.jp +arao.kumamoto.jp +aso.kumamoto.jp +choyo.kumamoto.jp +gyokuto.kumamoto.jp +hitoyoshi.kumamoto.jp +kamiamakusa.kumamoto.jp +kashima.kumamoto.jp +kikuchi.kumamoto.jp +kosa.kumamoto.jp +kumamoto.kumamoto.jp +mashiki.kumamoto.jp +mifune.kumamoto.jp +minamata.kumamoto.jp +minamioguni.kumamoto.jp +nagasu.kumamoto.jp +nishihara.kumamoto.jp +oguni.kumamoto.jp +ozu.kumamoto.jp +sumoto.kumamoto.jp +takamori.kumamoto.jp +uki.kumamoto.jp +uto.kumamoto.jp +yamaga.kumamoto.jp +yamato.kumamoto.jp +yatsushiro.kumamoto.jp +ayabe.kyoto.jp +fukuchiyama.kyoto.jp +higashiyama.kyoto.jp +ide.kyoto.jp +ine.kyoto.jp +joyo.kyoto.jp +kameoka.kyoto.jp +kamo.kyoto.jp +kita.kyoto.jp +kizu.kyoto.jp +kumiyama.kyoto.jp +kyotamba.kyoto.jp +kyotanabe.kyoto.jp +kyotango.kyoto.jp +maizuru.kyoto.jp +minami.kyoto.jp +minamiyamashiro.kyoto.jp +miyazu.kyoto.jp +muko.kyoto.jp +nagaokakyo.kyoto.jp +nakagyo.kyoto.jp +nantan.kyoto.jp +oyamazaki.kyoto.jp +sakyo.kyoto.jp +seika.kyoto.jp +tanabe.kyoto.jp +uji.kyoto.jp +ujitawara.kyoto.jp +wazuka.kyoto.jp +yamashina.kyoto.jp +yawata.kyoto.jp +asahi.mie.jp +inabe.mie.jp +ise.mie.jp +kameyama.mie.jp +kawagoe.mie.jp +kiho.mie.jp +kisosaki.mie.jp +kiwa.mie.jp +komono.mie.jp +kumano.mie.jp +kuwana.mie.jp +matsusaka.mie.jp +meiwa.mie.jp +mihama.mie.jp +minamiise.mie.jp +misugi.mie.jp +miyama.mie.jp +nabari.mie.jp +shima.mie.jp +suzuka.mie.jp +tado.mie.jp +taiki.mie.jp +taki.mie.jp +tamaki.mie.jp +toba.mie.jp +tsu.mie.jp +udono.mie.jp +ureshino.mie.jp +watarai.mie.jp +yokkaichi.mie.jp +furukawa.miyagi.jp +higashimatsushima.miyagi.jp +ishinomaki.miyagi.jp +iwanuma.miyagi.jp +kakuda.miyagi.jp +kami.miyagi.jp +kawasaki.miyagi.jp +kesennuma.miyagi.jp +marumori.miyagi.jp +matsushima.miyagi.jp +minamisanriku.miyagi.jp +misato.miyagi.jp +murata.miyagi.jp +natori.miyagi.jp +ogawara.miyagi.jp +ohira.miyagi.jp +onagawa.miyagi.jp +osaki.miyagi.jp +rifu.miyagi.jp +semine.miyagi.jp +shibata.miyagi.jp +shichikashuku.miyagi.jp +shikama.miyagi.jp +shiogama.miyagi.jp +shiroishi.miyagi.jp +tagajo.miyagi.jp +taiwa.miyagi.jp +tome.miyagi.jp +tomiya.miyagi.jp +wakuya.miyagi.jp +watari.miyagi.jp +yamamoto.miyagi.jp +zao.miyagi.jp +aya.miyazaki.jp +ebino.miyazaki.jp +gokase.miyazaki.jp +hyuga.miyazaki.jp +kadogawa.miyazaki.jp +kawaminami.miyazaki.jp +kijo.miyazaki.jp +kitagawa.miyazaki.jp +kitakata.miyazaki.jp +kitaura.miyazaki.jp +kobayashi.miyazaki.jp +kunitomi.miyazaki.jp +kushima.miyazaki.jp +mimata.miyazaki.jp +miyakonojo.miyazaki.jp +miyazaki.miyazaki.jp +morotsuka.miyazaki.jp +nichinan.miyazaki.jp +nishimera.miyazaki.jp +nobeoka.miyazaki.jp +saito.miyazaki.jp +shiiba.miyazaki.jp +shintomi.miyazaki.jp +takaharu.miyazaki.jp +takanabe.miyazaki.jp +takazaki.miyazaki.jp +tsuno.miyazaki.jp +achi.nagano.jp +agematsu.nagano.jp +anan.nagano.jp +aoki.nagano.jp +asahi.nagano.jp +azumino.nagano.jp +chikuhoku.nagano.jp +chikuma.nagano.jp +chino.nagano.jp +fujimi.nagano.jp +hakuba.nagano.jp +hara.nagano.jp +hiraya.nagano.jp +iida.nagano.jp +iijima.nagano.jp +iiyama.nagano.jp +iizuna.nagano.jp +ikeda.nagano.jp +ikusaka.nagano.jp +ina.nagano.jp +karuizawa.nagano.jp +kawakami.nagano.jp +kiso.nagano.jp +kisofukushima.nagano.jp +kitaaiki.nagano.jp +komagane.nagano.jp +komoro.nagano.jp +matsukawa.nagano.jp +matsumoto.nagano.jp +miasa.nagano.jp +minamiaiki.nagano.jp +minamimaki.nagano.jp +minamiminowa.nagano.jp +minowa.nagano.jp +miyada.nagano.jp +miyota.nagano.jp +mochizuki.nagano.jp +nagano.nagano.jp +nagawa.nagano.jp +nagiso.nagano.jp +nakagawa.nagano.jp +nakano.nagano.jp +nozawaonsen.nagano.jp +obuse.nagano.jp +ogawa.nagano.jp +okaya.nagano.jp +omachi.nagano.jp +omi.nagano.jp +ookuwa.nagano.jp +ooshika.nagano.jp +otaki.nagano.jp +otari.nagano.jp +sakae.nagano.jp +sakaki.nagano.jp +saku.nagano.jp +sakuho.nagano.jp +shimosuwa.nagano.jp +shinanomachi.nagano.jp +shiojiri.nagano.jp +suwa.nagano.jp +suzaka.nagano.jp +takagi.nagano.jp +takamori.nagano.jp +takayama.nagano.jp +tateshina.nagano.jp +tatsuno.nagano.jp +togakushi.nagano.jp +togura.nagano.jp +tomi.nagano.jp +ueda.nagano.jp +wada.nagano.jp +yamagata.nagano.jp +yamanouchi.nagano.jp +yasaka.nagano.jp +yasuoka.nagano.jp +chijiwa.nagasaki.jp +futsu.nagasaki.jp +goto.nagasaki.jp +hasami.nagasaki.jp +hirado.nagasaki.jp +iki.nagasaki.jp +isahaya.nagasaki.jp +kawatana.nagasaki.jp +kuchinotsu.nagasaki.jp +matsuura.nagasaki.jp +nagasaki.nagasaki.jp +obama.nagasaki.jp +omura.nagasaki.jp +oseto.nagasaki.jp +saikai.nagasaki.jp +sasebo.nagasaki.jp +seihi.nagasaki.jp +shimabara.nagasaki.jp +shinkamigoto.nagasaki.jp +togitsu.nagasaki.jp +tsushima.nagasaki.jp +unzen.nagasaki.jp +ando.nara.jp +gose.nara.jp +heguri.nara.jp +higashiyoshino.nara.jp +ikaruga.nara.jp +ikoma.nara.jp +kamikitayama.nara.jp +kanmaki.nara.jp +kashiba.nara.jp +kashihara.nara.jp +katsuragi.nara.jp +kawai.nara.jp +kawakami.nara.jp +kawanishi.nara.jp +koryo.nara.jp +kurotaki.nara.jp +mitsue.nara.jp +miyake.nara.jp +nara.nara.jp +nosegawa.nara.jp +oji.nara.jp +ouda.nara.jp +oyodo.nara.jp +sakurai.nara.jp +sango.nara.jp +shimoichi.nara.jp +shimokitayama.nara.jp +shinjo.nara.jp +soni.nara.jp +takatori.nara.jp +tawaramoto.nara.jp +tenkawa.nara.jp +tenri.nara.jp +uda.nara.jp +yamatokoriyama.nara.jp +yamatotakada.nara.jp +yamazoe.nara.jp +yoshino.nara.jp +aga.niigata.jp +agano.niigata.jp +gosen.niigata.jp +itoigawa.niigata.jp +izumozaki.niigata.jp +joetsu.niigata.jp +kamo.niigata.jp +kariwa.niigata.jp +kashiwazaki.niigata.jp +minamiuonuma.niigata.jp +mitsuke.niigata.jp +muika.niigata.jp +murakami.niigata.jp +myoko.niigata.jp +nagaoka.niigata.jp +niigata.niigata.jp +ojiya.niigata.jp +omi.niigata.jp +sado.niigata.jp +sanjo.niigata.jp +seiro.niigata.jp +seirou.niigata.jp +sekikawa.niigata.jp +shibata.niigata.jp +tagami.niigata.jp +tainai.niigata.jp +tochio.niigata.jp +tokamachi.niigata.jp +tsubame.niigata.jp +tsunan.niigata.jp +uonuma.niigata.jp +yahiko.niigata.jp +yoita.niigata.jp +yuzawa.niigata.jp +beppu.oita.jp +bungoono.oita.jp +bungotakada.oita.jp +hasama.oita.jp +hiji.oita.jp +himeshima.oita.jp +hita.oita.jp +kamitsue.oita.jp +kokonoe.oita.jp +kuju.oita.jp +kunisaki.oita.jp +kusu.oita.jp +oita.oita.jp +saiki.oita.jp +taketa.oita.jp +tsukumi.oita.jp +usa.oita.jp +usuki.oita.jp +yufu.oita.jp +akaiwa.okayama.jp +asakuchi.okayama.jp +bizen.okayama.jp +hayashima.okayama.jp +ibara.okayama.jp +kagamino.okayama.jp +kasaoka.okayama.jp +kibichuo.okayama.jp +kumenan.okayama.jp +kurashiki.okayama.jp +maniwa.okayama.jp +misaki.okayama.jp +nagi.okayama.jp +niimi.okayama.jp +nishiawakura.okayama.jp +okayama.okayama.jp +satosho.okayama.jp +setouchi.okayama.jp +shinjo.okayama.jp +shoo.okayama.jp +soja.okayama.jp +takahashi.okayama.jp +tamano.okayama.jp +tsuyama.okayama.jp +wake.okayama.jp +yakage.okayama.jp +aguni.okinawa.jp +ginowan.okinawa.jp +ginoza.okinawa.jp +gushikami.okinawa.jp +haebaru.okinawa.jp +higashi.okinawa.jp +hirara.okinawa.jp +iheya.okinawa.jp +ishigaki.okinawa.jp +ishikawa.okinawa.jp +itoman.okinawa.jp +izena.okinawa.jp +kadena.okinawa.jp +kin.okinawa.jp +kitadaito.okinawa.jp +kitanakagusuku.okinawa.jp +kumejima.okinawa.jp +kunigami.okinawa.jp +minamidaito.okinawa.jp +motobu.okinawa.jp +nago.okinawa.jp +naha.okinawa.jp +nakagusuku.okinawa.jp +nakijin.okinawa.jp +nanjo.okinawa.jp +nishihara.okinawa.jp +ogimi.okinawa.jp +okinawa.okinawa.jp +onna.okinawa.jp +shimoji.okinawa.jp +taketomi.okinawa.jp +tarama.okinawa.jp +tokashiki.okinawa.jp +tomigusuku.okinawa.jp +tonaki.okinawa.jp +urasoe.okinawa.jp +uruma.okinawa.jp +yaese.okinawa.jp +yomitan.okinawa.jp +yonabaru.okinawa.jp +yonaguni.okinawa.jp +zamami.okinawa.jp +abeno.osaka.jp +chihayaakasaka.osaka.jp +chuo.osaka.jp +daito.osaka.jp +fujiidera.osaka.jp +habikino.osaka.jp +hannan.osaka.jp +higashiosaka.osaka.jp +higashisumiyoshi.osaka.jp +higashiyodogawa.osaka.jp +hirakata.osaka.jp +ibaraki.osaka.jp +ikeda.osaka.jp +izumi.osaka.jp +izumiotsu.osaka.jp +izumisano.osaka.jp +kadoma.osaka.jp +kaizuka.osaka.jp +kanan.osaka.jp +kashiwara.osaka.jp +katano.osaka.jp +kawachinagano.osaka.jp +kishiwada.osaka.jp +kita.osaka.jp +kumatori.osaka.jp +matsubara.osaka.jp +minato.osaka.jp +minoh.osaka.jp +misaki.osaka.jp +moriguchi.osaka.jp +neyagawa.osaka.jp +nishi.osaka.jp +nose.osaka.jp +osakasayama.osaka.jp +sakai.osaka.jp +sayama.osaka.jp +sennan.osaka.jp +settsu.osaka.jp +shijonawate.osaka.jp +shimamoto.osaka.jp +suita.osaka.jp +tadaoka.osaka.jp +taishi.osaka.jp +tajiri.osaka.jp +takaishi.osaka.jp +takatsuki.osaka.jp +tondabayashi.osaka.jp +toyonaka.osaka.jp +toyono.osaka.jp +yao.osaka.jp +ariake.saga.jp +arita.saga.jp +fukudomi.saga.jp +genkai.saga.jp +hamatama.saga.jp +hizen.saga.jp +imari.saga.jp +kamimine.saga.jp +kanzaki.saga.jp +karatsu.saga.jp +kashima.saga.jp +kitagata.saga.jp +kitahata.saga.jp +kiyama.saga.jp +kouhoku.saga.jp +kyuragi.saga.jp +nishiarita.saga.jp +ogi.saga.jp +omachi.saga.jp +ouchi.saga.jp +saga.saga.jp +shiroishi.saga.jp +taku.saga.jp +tara.saga.jp +tosu.saga.jp +yoshinogari.saga.jp +arakawa.saitama.jp +asaka.saitama.jp +chichibu.saitama.jp +fujimi.saitama.jp +fujimino.saitama.jp +fukaya.saitama.jp +hanno.saitama.jp +hanyu.saitama.jp +hasuda.saitama.jp +hatogaya.saitama.jp +hatoyama.saitama.jp +hidaka.saitama.jp +higashichichibu.saitama.jp +higashimatsuyama.saitama.jp +honjo.saitama.jp +ina.saitama.jp +iruma.saitama.jp +iwatsuki.saitama.jp +kamiizumi.saitama.jp +kamikawa.saitama.jp +kamisato.saitama.jp +kasukabe.saitama.jp +kawagoe.saitama.jp +kawaguchi.saitama.jp +kawajima.saitama.jp +kazo.saitama.jp +kitamoto.saitama.jp +koshigaya.saitama.jp +kounosu.saitama.jp +kuki.saitama.jp +kumagaya.saitama.jp +matsubushi.saitama.jp +minano.saitama.jp +misato.saitama.jp +miyashiro.saitama.jp +miyoshi.saitama.jp +moroyama.saitama.jp +nagatoro.saitama.jp +namegawa.saitama.jp +niiza.saitama.jp +ogano.saitama.jp +ogawa.saitama.jp +ogose.saitama.jp +okegawa.saitama.jp +omiya.saitama.jp +otaki.saitama.jp +ranzan.saitama.jp +ryokami.saitama.jp +saitama.saitama.jp +sakado.saitama.jp +satte.saitama.jp +sayama.saitama.jp +shiki.saitama.jp +shiraoka.saitama.jp +soka.saitama.jp +sugito.saitama.jp +toda.saitama.jp +tokigawa.saitama.jp +tokorozawa.saitama.jp +tsurugashima.saitama.jp +urawa.saitama.jp +warabi.saitama.jp +yashio.saitama.jp +yokoze.saitama.jp +yono.saitama.jp +yorii.saitama.jp +yoshida.saitama.jp +yoshikawa.saitama.jp +yoshimi.saitama.jp +aisho.shiga.jp +gamo.shiga.jp +higashiomi.shiga.jp +hikone.shiga.jp +koka.shiga.jp +konan.shiga.jp +kosei.shiga.jp +koto.shiga.jp +kusatsu.shiga.jp +maibara.shiga.jp +moriyama.shiga.jp +nagahama.shiga.jp +nishiazai.shiga.jp +notogawa.shiga.jp +omihachiman.shiga.jp +otsu.shiga.jp +ritto.shiga.jp +ryuoh.shiga.jp +takashima.shiga.jp +takatsuki.shiga.jp +torahime.shiga.jp +toyosato.shiga.jp +yasu.shiga.jp +akagi.shimane.jp +ama.shimane.jp +gotsu.shimane.jp +hamada.shimane.jp +higashiizumo.shimane.jp +hikawa.shimane.jp +hikimi.shimane.jp +izumo.shimane.jp +kakinoki.shimane.jp +masuda.shimane.jp +matsue.shimane.jp +misato.shimane.jp +nishinoshima.shimane.jp +ohda.shimane.jp +okinoshima.shimane.jp +okuizumo.shimane.jp +shimane.shimane.jp +tamayu.shimane.jp +tsuwano.shimane.jp +unnan.shimane.jp +yakumo.shimane.jp +yasugi.shimane.jp +yatsuka.shimane.jp +arai.shizuoka.jp +atami.shizuoka.jp +fuji.shizuoka.jp +fujieda.shizuoka.jp +fujikawa.shizuoka.jp +fujinomiya.shizuoka.jp +fukuroi.shizuoka.jp +gotemba.shizuoka.jp +haibara.shizuoka.jp +hamamatsu.shizuoka.jp +higashiizu.shizuoka.jp +ito.shizuoka.jp +iwata.shizuoka.jp +izu.shizuoka.jp +izunokuni.shizuoka.jp +kakegawa.shizuoka.jp +kannami.shizuoka.jp +kawanehon.shizuoka.jp +kawazu.shizuoka.jp +kikugawa.shizuoka.jp +kosai.shizuoka.jp +makinohara.shizuoka.jp +matsuzaki.shizuoka.jp +minamiizu.shizuoka.jp +mishima.shizuoka.jp +morimachi.shizuoka.jp +nishiizu.shizuoka.jp +numazu.shizuoka.jp +omaezaki.shizuoka.jp +shimada.shizuoka.jp +shimizu.shizuoka.jp +shimoda.shizuoka.jp +shizuoka.shizuoka.jp +susono.shizuoka.jp +yaizu.shizuoka.jp +yoshida.shizuoka.jp +ashikaga.tochigi.jp +bato.tochigi.jp +haga.tochigi.jp +ichikai.tochigi.jp +iwafune.tochigi.jp +kaminokawa.tochigi.jp +kanuma.tochigi.jp +karasuyama.tochigi.jp +kuroiso.tochigi.jp +mashiko.tochigi.jp +mibu.tochigi.jp +moka.tochigi.jp +motegi.tochigi.jp +nasu.tochigi.jp +nasushiobara.tochigi.jp +nikko.tochigi.jp +nishikata.tochigi.jp +nogi.tochigi.jp +ohira.tochigi.jp +ohtawara.tochigi.jp +oyama.tochigi.jp +sakura.tochigi.jp +sano.tochigi.jp +shimotsuke.tochigi.jp +shioya.tochigi.jp +takanezawa.tochigi.jp +tochigi.tochigi.jp +tsuga.tochigi.jp +ujiie.tochigi.jp +utsunomiya.tochigi.jp +yaita.tochigi.jp +aizumi.tokushima.jp +anan.tokushima.jp +ichiba.tokushima.jp +itano.tokushima.jp +kainan.tokushima.jp +komatsushima.tokushima.jp +matsushige.tokushima.jp +mima.tokushima.jp +minami.tokushima.jp +miyoshi.tokushima.jp +mugi.tokushima.jp +nakagawa.tokushima.jp +naruto.tokushima.jp +sanagochi.tokushima.jp +shishikui.tokushima.jp +tokushima.tokushima.jp +wajiki.tokushima.jp +adachi.tokyo.jp +akiruno.tokyo.jp +akishima.tokyo.jp +aogashima.tokyo.jp +arakawa.tokyo.jp +bunkyo.tokyo.jp +chiyoda.tokyo.jp +chofu.tokyo.jp +chuo.tokyo.jp +edogawa.tokyo.jp +fuchu.tokyo.jp +fussa.tokyo.jp +hachijo.tokyo.jp +hachioji.tokyo.jp +hamura.tokyo.jp +higashikurume.tokyo.jp +higashimurayama.tokyo.jp +higashiyamato.tokyo.jp +hino.tokyo.jp +hinode.tokyo.jp +hinohara.tokyo.jp +inagi.tokyo.jp +itabashi.tokyo.jp +katsushika.tokyo.jp +kita.tokyo.jp +kiyose.tokyo.jp +kodaira.tokyo.jp +koganei.tokyo.jp +kokubunji.tokyo.jp +komae.tokyo.jp +koto.tokyo.jp +kouzushima.tokyo.jp +kunitachi.tokyo.jp +machida.tokyo.jp +meguro.tokyo.jp +minato.tokyo.jp +mitaka.tokyo.jp +mizuho.tokyo.jp +musashimurayama.tokyo.jp +musashino.tokyo.jp +nakano.tokyo.jp +nerima.tokyo.jp +ogasawara.tokyo.jp +okutama.tokyo.jp +ome.tokyo.jp +oshima.tokyo.jp +ota.tokyo.jp +setagaya.tokyo.jp +shibuya.tokyo.jp +shinagawa.tokyo.jp +shinjuku.tokyo.jp +suginami.tokyo.jp +sumida.tokyo.jp +tachikawa.tokyo.jp +taito.tokyo.jp +tama.tokyo.jp +toshima.tokyo.jp +chizu.tottori.jp +hino.tottori.jp +kawahara.tottori.jp +koge.tottori.jp +kotoura.tottori.jp +misasa.tottori.jp +nanbu.tottori.jp +nichinan.tottori.jp +sakaiminato.tottori.jp +tottori.tottori.jp +wakasa.tottori.jp +yazu.tottori.jp +yonago.tottori.jp +asahi.toyama.jp +fuchu.toyama.jp +fukumitsu.toyama.jp +funahashi.toyama.jp +himi.toyama.jp +imizu.toyama.jp +inami.toyama.jp +johana.toyama.jp +kamiichi.toyama.jp +kurobe.toyama.jp +nakaniikawa.toyama.jp +namerikawa.toyama.jp +nanto.toyama.jp +nyuzen.toyama.jp +oyabe.toyama.jp +taira.toyama.jp +takaoka.toyama.jp +tateyama.toyama.jp +toga.toyama.jp +tonami.toyama.jp +toyama.toyama.jp +unazuki.toyama.jp +uozu.toyama.jp +yamada.toyama.jp +arida.wakayama.jp +aridagawa.wakayama.jp +gobo.wakayama.jp +hashimoto.wakayama.jp +hidaka.wakayama.jp +hirogawa.wakayama.jp +inami.wakayama.jp +iwade.wakayama.jp +kainan.wakayama.jp +kamitonda.wakayama.jp +katsuragi.wakayama.jp +kimino.wakayama.jp +kinokawa.wakayama.jp +kitayama.wakayama.jp +koya.wakayama.jp +koza.wakayama.jp +kozagawa.wakayama.jp +kudoyama.wakayama.jp +kushimoto.wakayama.jp +mihama.wakayama.jp +misato.wakayama.jp +nachikatsuura.wakayama.jp +shingu.wakayama.jp +shirahama.wakayama.jp +taiji.wakayama.jp +tanabe.wakayama.jp +wakayama.wakayama.jp +yuasa.wakayama.jp +yura.wakayama.jp +asahi.yamagata.jp +funagata.yamagata.jp +higashine.yamagata.jp +iide.yamagata.jp +kahoku.yamagata.jp +kaminoyama.yamagata.jp +kaneyama.yamagata.jp +kawanishi.yamagata.jp +mamurogawa.yamagata.jp +mikawa.yamagata.jp +murayama.yamagata.jp +nagai.yamagata.jp +nakayama.yamagata.jp +nanyo.yamagata.jp +nishikawa.yamagata.jp +obanazawa.yamagata.jp +oe.yamagata.jp +oguni.yamagata.jp +ohkura.yamagata.jp +oishida.yamagata.jp +sagae.yamagata.jp +sakata.yamagata.jp +sakegawa.yamagata.jp +shinjo.yamagata.jp +shirataka.yamagata.jp +shonai.yamagata.jp +takahata.yamagata.jp +tendo.yamagata.jp +tozawa.yamagata.jp +tsuruoka.yamagata.jp +yamagata.yamagata.jp +yamanobe.yamagata.jp +yonezawa.yamagata.jp +yuza.yamagata.jp +abu.yamaguchi.jp +hagi.yamaguchi.jp +hikari.yamaguchi.jp +hofu.yamaguchi.jp +iwakuni.yamaguchi.jp +kudamatsu.yamaguchi.jp +mitou.yamaguchi.jp +nagato.yamaguchi.jp +oshima.yamaguchi.jp +shimonoseki.yamaguchi.jp +shunan.yamaguchi.jp +tabuse.yamaguchi.jp +tokuyama.yamaguchi.jp +toyota.yamaguchi.jp +ube.yamaguchi.jp +yuu.yamaguchi.jp +chuo.yamanashi.jp +doshi.yamanashi.jp +fuefuki.yamanashi.jp +fujikawa.yamanashi.jp +fujikawaguchiko.yamanashi.jp +fujiyoshida.yamanashi.jp +hayakawa.yamanashi.jp +hokuto.yamanashi.jp +ichikawamisato.yamanashi.jp +kai.yamanashi.jp +kofu.yamanashi.jp +koshu.yamanashi.jp +kosuge.yamanashi.jp +minami-alps.yamanashi.jp +minobu.yamanashi.jp +nakamichi.yamanashi.jp +nanbu.yamanashi.jp +narusawa.yamanashi.jp +nirasaki.yamanashi.jp +nishikatsura.yamanashi.jp +oshino.yamanashi.jp +otsuki.yamanashi.jp +showa.yamanashi.jp +tabayama.yamanashi.jp +tsuru.yamanashi.jp +uenohara.yamanashi.jp +yamanakako.yamanashi.jp +yamanashi.yamanashi.jp + +// ke : http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145 +*.ke + +// kg : http://www.domain.kg/dmn_n.html +kg +org.kg +net.kg +com.kg +edu.kg +gov.kg +mil.kg + +// kh : http://www.mptc.gov.kh/dns_registration.htm +*.kh + +// ki : http://www.ki/dns/index.html +ki +edu.ki +biz.ki +net.ki +org.ki +gov.ki +info.ki +com.ki + +// km : http://en.wikipedia.org/wiki/.km +// http://www.domaine.km/documents/charte.doc +km +org.km +nom.km +gov.km +prd.km +tm.km +edu.km +mil.km +ass.km +com.km +// These are only mentioned as proposed suggestions at domaine.km, but +// http://en.wikipedia.org/wiki/.km says they're available for registration: +coop.km +asso.km +presse.km +medecin.km +notaires.km +pharmaciens.km +veterinaire.km +gouv.km + +// kn : http://en.wikipedia.org/wiki/.kn +// http://www.dot.kn/domainRules.html +kn +net.kn +org.kn +edu.kn +gov.kn + +// kp : http://www.kcce.kp/en_index.php +kp +com.kp +edu.kp +gov.kp +org.kp +rep.kp +tra.kp + +// kr : http://en.wikipedia.org/wiki/.kr +// see also: http://domain.nida.or.kr/eng/registration.jsp +kr +ac.kr +co.kr +es.kr +go.kr +hs.kr +kg.kr +mil.kr +ms.kr +ne.kr +or.kr +pe.kr +re.kr +sc.kr +// kr geographical names +busan.kr +chungbuk.kr +chungnam.kr +daegu.kr +daejeon.kr +gangwon.kr +gwangju.kr +gyeongbuk.kr +gyeonggi.kr +gyeongnam.kr +incheon.kr +jeju.kr +jeonbuk.kr +jeonnam.kr +seoul.kr +ulsan.kr + +// kw : http://en.wikipedia.org/wiki/.kw +*.kw + +// ky : http://www.icta.ky/da_ky_reg_dom.php +// Confirmed by registry 2008-06-17 +ky +edu.ky +gov.ky +com.ky +org.ky +net.ky + +// kz : http://en.wikipedia.org/wiki/.kz +// see also: http://www.nic.kz/rules/index.jsp +kz +org.kz +edu.kz +net.kz +gov.kz +mil.kz +com.kz + +// la : http://en.wikipedia.org/wiki/.la +// Submitted by registry 2008-06-10 +la +int.la +net.la +info.la +edu.la +gov.la +per.la +com.la +org.la + +// lb : http://en.wikipedia.org/wiki/.lb +// Submitted by registry 2008-06-17 +lb +com.lb +edu.lb +gov.lb +net.lb +org.lb + +// lc : http://en.wikipedia.org/wiki/.lc +// see also: http://www.nic.lc/rules.htm +lc +com.lc +net.lc +co.lc +org.lc +edu.lc +gov.lc + +// li : http://en.wikipedia.org/wiki/.li +li + +// lk : http://www.nic.lk/seclevpr.html +lk +gov.lk +sch.lk +net.lk +int.lk +com.lk +org.lk +edu.lk +ngo.lk +soc.lk +web.lk +ltd.lk +assn.lk +grp.lk +hotel.lk + +// lr : http://psg.com/dns/lr/lr.txt +// Submitted by registry 2008-06-17 +lr +com.lr +edu.lr +gov.lr +org.lr +net.lr + +// ls : http://en.wikipedia.org/wiki/.ls +ls +co.ls +org.ls + +// lt : http://en.wikipedia.org/wiki/.lt +lt +// gov.lt : http://www.gov.lt/index_en.php +gov.lt + +// lu : http://www.dns.lu/en/ +lu + +// lv : http://www.nic.lv/DNS/En/generic.php +lv +com.lv +edu.lv +gov.lv +org.lv +mil.lv +id.lv +net.lv +asn.lv +conf.lv + +// ly : http://www.nic.ly/regulations.php +ly +com.ly +net.ly +gov.ly +plc.ly +edu.ly +sch.ly +med.ly +org.ly +id.ly + +// ma : http://en.wikipedia.org/wiki/.ma +// http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf +ma +co.ma +net.ma +gov.ma +org.ma +ac.ma +press.ma + +// mc : http://www.nic.mc/ +mc +tm.mc +asso.mc + +// md : http://en.wikipedia.org/wiki/.md +md + +// me : http://en.wikipedia.org/wiki/.me +me +co.me +net.me +org.me +edu.me +ac.me +gov.me +its.me +priv.me + +// mg : http://www.nic.mg/tarif.htm +mg +org.mg +nom.mg +gov.mg +prd.mg +tm.mg +edu.mg +mil.mg +com.mg + +// mh : http://en.wikipedia.org/wiki/.mh +mh + +// mil : http://en.wikipedia.org/wiki/.mil +mil + +// mk : http://en.wikipedia.org/wiki/.mk +// see also: http://dns.marnet.net.mk/postapka.php +mk +com.mk +org.mk +net.mk +edu.mk +gov.mk +inf.mk +name.mk + +// ml : http://www.gobin.info/domainname/ml-template.doc +// see also: http://en.wikipedia.org/wiki/.ml +ml +com.ml +edu.ml +gouv.ml +gov.ml +net.ml +org.ml +presse.ml + +// mm : http://en.wikipedia.org/wiki/.mm +*.mm + +// mn : http://en.wikipedia.org/wiki/.mn +mn +gov.mn +edu.mn +org.mn + +// mo : http://www.monic.net.mo/ +mo +com.mo +net.mo +org.mo +edu.mo +gov.mo + +// mobi : http://en.wikipedia.org/wiki/.mobi +mobi + +// mp : http://www.dot.mp/ +// Confirmed by registry 2008-06-17 +mp + +// mq : http://en.wikipedia.org/wiki/.mq +mq + +// mr : http://en.wikipedia.org/wiki/.mr +mr +gov.mr + +// ms : http://www.nic.ms/pdf/MS_Domain_Name_Rules.pdf +ms +com.ms +edu.ms +gov.ms +net.ms +org.ms + +// mt : https://www.nic.org.mt/go/policy +// Submitted by registry 2013-11-19 +mt +com.mt +edu.mt +net.mt +org.mt + +// mu : http://en.wikipedia.org/wiki/.mu +mu +com.mu +net.mu +org.mu +gov.mu +ac.mu +co.mu +or.mu + +// museum : http://about.museum/naming/ +// http://index.museum/ +museum +academy.museum +agriculture.museum +air.museum +airguard.museum +alabama.museum +alaska.museum +amber.museum +ambulance.museum +american.museum +americana.museum +americanantiques.museum +americanart.museum +amsterdam.museum +and.museum +annefrank.museum +anthro.museum +anthropology.museum +antiques.museum +aquarium.museum +arboretum.museum +archaeological.museum +archaeology.museum +architecture.museum +art.museum +artanddesign.museum +artcenter.museum +artdeco.museum +arteducation.museum +artgallery.museum +arts.museum +artsandcrafts.museum +asmatart.museum +assassination.museum +assisi.museum +association.museum +astronomy.museum +atlanta.museum +austin.museum +australia.museum +automotive.museum +aviation.museum +axis.museum +badajoz.museum +baghdad.museum +bahn.museum +bale.museum +baltimore.museum +barcelona.museum +baseball.museum +basel.museum +baths.museum +bauern.museum +beauxarts.museum +beeldengeluid.museum +bellevue.museum +bergbau.museum +berkeley.museum +berlin.museum +bern.museum +bible.museum +bilbao.museum +bill.museum +birdart.museum +birthplace.museum +bonn.museum +boston.museum +botanical.museum +botanicalgarden.museum +botanicgarden.museum +botany.museum +brandywinevalley.museum +brasil.museum +bristol.museum +british.museum +britishcolumbia.museum +broadcast.museum +brunel.museum +brussel.museum +brussels.museum +bruxelles.museum +building.museum +burghof.museum +bus.museum +bushey.museum +cadaques.museum +california.museum +cambridge.museum +can.museum +canada.museum +capebreton.museum +carrier.museum +cartoonart.museum +casadelamoneda.museum +castle.museum +castres.museum +celtic.museum +center.museum +chattanooga.museum +cheltenham.museum +chesapeakebay.museum +chicago.museum +children.museum +childrens.museum +childrensgarden.museum +chiropractic.museum +chocolate.museum +christiansburg.museum +cincinnati.museum +cinema.museum +circus.museum +civilisation.museum +civilization.museum +civilwar.museum +clinton.museum +clock.museum +coal.museum +coastaldefence.museum +cody.museum +coldwar.museum +collection.museum +colonialwilliamsburg.museum +coloradoplateau.museum +columbia.museum +columbus.museum +communication.museum +communications.museum +community.museum +computer.museum +computerhistory.museum +comunicações.museum +contemporary.museum +contemporaryart.museum +convent.museum +copenhagen.museum +corporation.museum +correios-e-telecomunicações.museum +corvette.museum +costume.museum +countryestate.museum +county.museum +crafts.museum +cranbrook.museum +creation.museum +cultural.museum +culturalcenter.museum +culture.museum +cyber.museum +cymru.museum +dali.museum +dallas.museum +database.museum +ddr.museum +decorativearts.museum +delaware.museum +delmenhorst.museum +denmark.museum +depot.museum +design.museum +detroit.museum +dinosaur.museum +discovery.museum +dolls.museum +donostia.museum +durham.museum +eastafrica.museum +eastcoast.museum +education.museum +educational.museum +egyptian.museum +eisenbahn.museum +elburg.museum +elvendrell.museum +embroidery.museum +encyclopedic.museum +england.museum +entomology.museum +environment.museum +environmentalconservation.museum +epilepsy.museum +essex.museum +estate.museum +ethnology.museum +exeter.museum +exhibition.museum +family.museum +farm.museum +farmequipment.museum +farmers.museum +farmstead.museum +field.museum +figueres.museum +filatelia.museum +film.museum +fineart.museum +finearts.museum +finland.museum +flanders.museum +florida.museum +force.museum +fortmissoula.museum +fortworth.museum +foundation.museum +francaise.museum +frankfurt.museum +franziskaner.museum +freemasonry.museum +freiburg.museum +fribourg.museum +frog.museum +fundacio.museum +furniture.museum +gallery.museum +garden.museum +gateway.museum +geelvinck.museum +gemological.museum +geology.museum +georgia.museum +giessen.museum +glas.museum +glass.museum +gorge.museum +grandrapids.museum +graz.museum +guernsey.museum +halloffame.museum +hamburg.museum +handson.museum +harvestcelebration.museum +hawaii.museum +health.museum +heimatunduhren.museum +hellas.museum +helsinki.museum +hembygdsforbund.museum +heritage.museum +histoire.museum +historical.museum +historicalsociety.museum +historichouses.museum +historisch.museum +historisches.museum +history.museum +historyofscience.museum +horology.museum +house.museum +humanities.museum +illustration.museum +imageandsound.museum +indian.museum +indiana.museum +indianapolis.museum +indianmarket.museum +intelligence.museum +interactive.museum +iraq.museum +iron.museum +isleofman.museum +jamison.museum +jefferson.museum +jerusalem.museum +jewelry.museum +jewish.museum +jewishart.museum +jfk.museum +journalism.museum +judaica.museum +judygarland.museum +juedisches.museum +juif.museum +karate.museum +karikatur.museum +kids.museum +koebenhavn.museum +koeln.museum +kunst.museum +kunstsammlung.museum +kunstunddesign.museum +labor.museum +labour.museum +lajolla.museum +lancashire.museum +landes.museum +lans.museum +läns.museum +larsson.museum +lewismiller.museum +lincoln.museum +linz.museum +living.museum +livinghistory.museum +localhistory.museum +london.museum +losangeles.museum +louvre.museum +loyalist.museum +lucerne.museum +luxembourg.museum +luzern.museum +mad.museum +madrid.museum +mallorca.museum +manchester.museum +mansion.museum +mansions.museum +manx.museum +marburg.museum +maritime.museum +maritimo.museum +maryland.museum +marylhurst.museum +media.museum +medical.museum +medizinhistorisches.museum +meeres.museum +memorial.museum +mesaverde.museum +michigan.museum +midatlantic.museum +military.museum +mill.museum +miners.museum +mining.museum +minnesota.museum +missile.museum +missoula.museum +modern.museum +moma.museum +money.museum +monmouth.museum +monticello.museum +montreal.museum +moscow.museum +motorcycle.museum +muenchen.museum +muenster.museum +mulhouse.museum +muncie.museum +museet.museum +museumcenter.museum +museumvereniging.museum +music.museum +national.museum +nationalfirearms.museum +nationalheritage.museum +nativeamerican.museum +naturalhistory.museum +naturalhistorymuseum.museum +naturalsciences.museum +nature.museum +naturhistorisches.museum +natuurwetenschappen.museum +naumburg.museum +naval.museum +nebraska.museum +neues.museum +newhampshire.museum +newjersey.museum +newmexico.museum +newport.museum +newspaper.museum +newyork.museum +niepce.museum +norfolk.museum +north.museum +nrw.museum +nuernberg.museum +nuremberg.museum +nyc.museum +nyny.museum +oceanographic.museum +oceanographique.museum +omaha.museum +online.museum +ontario.museum +openair.museum +oregon.museum +oregontrail.museum +otago.museum +oxford.museum +pacific.museum +paderborn.museum +palace.museum +paleo.museum +palmsprings.museum +panama.museum +paris.museum +pasadena.museum +pharmacy.museum +philadelphia.museum +philadelphiaarea.museum +philately.museum +phoenix.museum +photography.museum +pilots.museum +pittsburgh.museum +planetarium.museum +plantation.museum +plants.museum +plaza.museum +portal.museum +portland.museum +portlligat.museum +posts-and-telecommunications.museum +preservation.museum +presidio.museum +press.museum +project.museum +public.museum +pubol.museum +quebec.museum +railroad.museum +railway.museum +research.museum +resistance.museum +riodejaneiro.museum +rochester.museum +rockart.museum +roma.museum +russia.museum +saintlouis.museum +salem.museum +salvadordali.museum +salzburg.museum +sandiego.museum +sanfrancisco.museum +santabarbara.museum +santacruz.museum +santafe.museum +saskatchewan.museum +satx.museum +savannahga.museum +schlesisches.museum +schoenbrunn.museum +schokoladen.museum +school.museum +schweiz.museum +science.museum +scienceandhistory.museum +scienceandindustry.museum +sciencecenter.museum +sciencecenters.museum +science-fiction.museum +sciencehistory.museum +sciences.museum +sciencesnaturelles.museum +scotland.museum +seaport.museum +settlement.museum +settlers.museum +shell.museum +sherbrooke.museum +sibenik.museum +silk.museum +ski.museum +skole.museum +society.museum +sologne.museum +soundandvision.museum +southcarolina.museum +southwest.museum +space.museum +spy.museum +square.museum +stadt.museum +stalbans.museum +starnberg.museum +state.museum +stateofdelaware.museum +station.museum +steam.museum +steiermark.museum +stjohn.museum +stockholm.museum +stpetersburg.museum +stuttgart.museum +suisse.museum +surgeonshall.museum +surrey.museum +svizzera.museum +sweden.museum +sydney.museum +tank.museum +tcm.museum +technology.museum +telekommunikation.museum +television.museum +texas.museum +textile.museum +theater.museum +time.museum +timekeeping.museum +topology.museum +torino.museum +touch.museum +town.museum +transport.museum +tree.museum +trolley.museum +trust.museum +trustee.museum +uhren.museum +ulm.museum +undersea.museum +university.museum +usa.museum +usantiques.museum +usarts.museum +uscountryestate.museum +usculture.museum +usdecorativearts.museum +usgarden.museum +ushistory.museum +ushuaia.museum +uslivinghistory.museum +utah.museum +uvic.museum +valley.museum +vantaa.museum +versailles.museum +viking.museum +village.museum +virginia.museum +virtual.museum +virtuel.museum +vlaanderen.museum +volkenkunde.museum +wales.museum +wallonie.museum +war.museum +washingtondc.museum +watchandclock.museum +watch-and-clock.museum +western.museum +westfalen.museum +whaling.museum +wildlife.museum +williamsburg.museum +windmill.museum +workshop.museum +york.museum +yorkshire.museum +yosemite.museum +youth.museum +zoological.museum +zoology.museum +ירושלים.museum +иком.museum + +// mv : http://en.wikipedia.org/wiki/.mv +// "mv" included because, contra Wikipedia, google.mv exists. +mv +aero.mv +biz.mv +com.mv +coop.mv +edu.mv +gov.mv +info.mv +int.mv +mil.mv +museum.mv +name.mv +net.mv +org.mv +pro.mv + +// mw : http://www.registrar.mw/ +mw +ac.mw +biz.mw +co.mw +com.mw +coop.mw +edu.mw +gov.mw +int.mw +museum.mw +net.mw +org.mw + +// mx : http://www.nic.mx/ +// Submitted by registry 2008-06-19 +mx +com.mx +org.mx +gob.mx +edu.mx +net.mx + +// my : http://www.mynic.net.my/ +my +com.my +net.my +org.my +gov.my +edu.my +mil.my +name.my + +// mz : http://www.gobin.info/domainname/mz-template.doc +*.mz +!teledata.mz + +// na : http://www.na-nic.com.na/ +// http://www.info.na/domain/ +na +info.na +pro.na +name.na +school.na +or.na +dr.na +us.na +mx.na +ca.na +in.na +cc.na +tv.na +ws.na +mobi.na +co.na +com.na +org.na + +// name : has 2nd-level tlds, but there's no list of them +name + +// nc : http://www.cctld.nc/ +nc +asso.nc + +// ne : http://en.wikipedia.org/wiki/.ne +ne + +// net : http://en.wikipedia.org/wiki/.net +net + +// nf : http://en.wikipedia.org/wiki/.nf +nf +com.nf +net.nf +per.nf +rec.nf +web.nf +arts.nf +firm.nf +info.nf +other.nf +store.nf + +// ng : http://psg.com/dns/ng/ +ng +com.ng +edu.ng +name.ng +net.ng +org.ng +sch.ng +gov.ng +mil.ng +mobi.ng + +// ni : http://www.nic.ni/dominios.htm +*.ni + +// nl : http://www.domain-registry.nl/ace.php/c,728,122,,,,Home.html +// Confirmed by registry (with technical +// reservations) 2008-06-08 +nl + +// BV.nl will be a registry for dutch BV's (besloten vennootschap) +bv.nl + +// no : http://www.norid.no/regelverk/index.en.html +// The Norwegian registry has declined to notify us of updates. The web pages +// referenced below are the official source of the data. There is also an +// announce mailing list: +// https://postlister.uninett.no/sympa/info/norid-diskusjon +no +// Norid generic domains : http://www.norid.no/regelverk/vedlegg-c.en.html +fhs.no +vgs.no +fylkesbibl.no +folkebibl.no +museum.no +idrett.no +priv.no +// Non-Norid generic domains : http://www.norid.no/regelverk/vedlegg-d.en.html +mil.no +stat.no +dep.no +kommune.no +herad.no +// no geographical names : http://www.norid.no/regelverk/vedlegg-b.en.html +// counties +aa.no +ah.no +bu.no +fm.no +hl.no +hm.no +jan-mayen.no +mr.no +nl.no +nt.no +of.no +ol.no +oslo.no +rl.no +sf.no +st.no +svalbard.no +tm.no +tr.no +va.no +vf.no +// primary and lower secondary schools per county +gs.aa.no +gs.ah.no +gs.bu.no +gs.fm.no +gs.hl.no +gs.hm.no +gs.jan-mayen.no +gs.mr.no +gs.nl.no +gs.nt.no +gs.of.no +gs.ol.no +gs.oslo.no +gs.rl.no +gs.sf.no +gs.st.no +gs.svalbard.no +gs.tm.no +gs.tr.no +gs.va.no +gs.vf.no +// cities +akrehamn.no +åkrehamn.no +algard.no +ålgård.no +arna.no +brumunddal.no +bryne.no +bronnoysund.no +brønnøysund.no +drobak.no +drøbak.no +egersund.no +fetsund.no +floro.no +florø.no +fredrikstad.no +hokksund.no +honefoss.no +hønefoss.no +jessheim.no +jorpeland.no +jørpeland.no +kirkenes.no +kopervik.no +krokstadelva.no +langevag.no +langevåg.no +leirvik.no +mjondalen.no +mjøndalen.no +mo-i-rana.no +mosjoen.no +mosjøen.no +nesoddtangen.no +orkanger.no +osoyro.no +osøyro.no +raholt.no +råholt.no +sandnessjoen.no +sandnessjøen.no +skedsmokorset.no +slattum.no +spjelkavik.no +stathelle.no +stavern.no +stjordalshalsen.no +stjørdalshalsen.no +tananger.no +tranby.no +vossevangen.no +// communities +afjord.no +åfjord.no +agdenes.no +al.no +ål.no +alesund.no +ålesund.no +alstahaug.no +alta.no +áltá.no +alaheadju.no +álaheadju.no +alvdal.no +amli.no +åmli.no +amot.no +åmot.no +andebu.no +andoy.no +andøy.no +andasuolo.no +ardal.no +årdal.no +aremark.no +arendal.no +ås.no +aseral.no +åseral.no +asker.no +askim.no +askvoll.no +askoy.no +askøy.no +asnes.no +åsnes.no +audnedaln.no +aukra.no +aure.no +aurland.no +aurskog-holand.no +aurskog-høland.no +austevoll.no +austrheim.no +averoy.no +averøy.no +balestrand.no +ballangen.no +balat.no +bálát.no +balsfjord.no +bahccavuotna.no +báhccavuotna.no +bamble.no +bardu.no +beardu.no +beiarn.no +bajddar.no +bájddar.no +baidar.no +báidár.no +berg.no +bergen.no +berlevag.no +berlevåg.no +bearalvahki.no +bearalváhki.no +bindal.no +birkenes.no +bjarkoy.no +bjarkøy.no +bjerkreim.no +bjugn.no +bodo.no +bodø.no +badaddja.no +bådåddjå.no +budejju.no +bokn.no +bremanger.no +bronnoy.no +brønnøy.no +bygland.no +bykle.no +barum.no +bærum.no +bo.telemark.no +bø.telemark.no +bo.nordland.no +bø.nordland.no +bievat.no +bievát.no +bomlo.no +bømlo.no +batsfjord.no +båtsfjord.no +bahcavuotna.no +báhcavuotna.no +dovre.no +drammen.no +drangedal.no +dyroy.no +dyrøy.no +donna.no +dønna.no +eid.no +eidfjord.no +eidsberg.no +eidskog.no +eidsvoll.no +eigersund.no +elverum.no +enebakk.no +engerdal.no +etne.no +etnedal.no +evenes.no +evenassi.no +evenášši.no +evje-og-hornnes.no +farsund.no +fauske.no +fuossko.no +fuoisku.no +fedje.no +fet.no +finnoy.no +finnøy.no +fitjar.no +fjaler.no +fjell.no +flakstad.no +flatanger.no +flekkefjord.no +flesberg.no +flora.no +fla.no +flå.no +folldal.no +forsand.no +fosnes.no +frei.no +frogn.no +froland.no +frosta.no +frana.no +fræna.no +froya.no +frøya.no +fusa.no +fyresdal.no +forde.no +førde.no +gamvik.no +gangaviika.no +gáŋgaviika.no +gaular.no +gausdal.no +gildeskal.no +gildeskål.no +giske.no +gjemnes.no +gjerdrum.no +gjerstad.no +gjesdal.no +gjovik.no +gjøvik.no +gloppen.no +gol.no +gran.no +grane.no +granvin.no +gratangen.no +grimstad.no +grong.no +kraanghke.no +kråanghke.no +grue.no +gulen.no +hadsel.no +halden.no +halsa.no +hamar.no +hamaroy.no +habmer.no +hábmer.no +hapmir.no +hápmir.no +hammerfest.no +hammarfeasta.no +hámmárfeasta.no +haram.no +hareid.no +harstad.no +hasvik.no +aknoluokta.no +ákŋoluokta.no +hattfjelldal.no +aarborte.no +haugesund.no +hemne.no +hemnes.no +hemsedal.no +heroy.more-og-romsdal.no +herøy.møre-og-romsdal.no +heroy.nordland.no +herøy.nordland.no +hitra.no +hjartdal.no +hjelmeland.no +hobol.no +hobøl.no +hof.no +hol.no +hole.no +holmestrand.no +holtalen.no +holtålen.no +hornindal.no +horten.no +hurdal.no +hurum.no +hvaler.no +hyllestad.no +hagebostad.no +hægebostad.no +hoyanger.no +høyanger.no +hoylandet.no +høylandet.no +ha.no +hå.no +ibestad.no +inderoy.no +inderøy.no +iveland.no +jevnaker.no +jondal.no +jolster.no +jølster.no +karasjok.no +karasjohka.no +kárášjohka.no +karlsoy.no +galsa.no +gálsá.no +karmoy.no +karmøy.no +kautokeino.no +guovdageaidnu.no +klepp.no +klabu.no +klæbu.no +kongsberg.no +kongsvinger.no +kragero.no +kragerø.no +kristiansand.no +kristiansund.no +krodsherad.no +krødsherad.no +kvalsund.no +rahkkeravju.no +ráhkkerávju.no +kvam.no +kvinesdal.no +kvinnherad.no +kviteseid.no +kvitsoy.no +kvitsøy.no +kvafjord.no +kvæfjord.no +giehtavuoatna.no +kvanangen.no +kvænangen.no +navuotna.no +návuotna.no +kafjord.no +kåfjord.no +gaivuotna.no +gáivuotna.no +larvik.no +lavangen.no +lavagis.no +loabat.no +loabát.no +lebesby.no +davvesiida.no +leikanger.no +leirfjord.no +leka.no +leksvik.no +lenvik.no +leangaviika.no +leaŋgaviika.no +lesja.no +levanger.no +lier.no +lierne.no +lillehammer.no +lillesand.no +lindesnes.no +lindas.no +lindås.no +lom.no +loppa.no +lahppi.no +láhppi.no +lund.no +lunner.no +luroy.no +lurøy.no +luster.no +lyngdal.no +lyngen.no +ivgu.no +lardal.no +lerdal.no +lærdal.no +lodingen.no +lødingen.no +lorenskog.no +lørenskog.no +loten.no +løten.no +malvik.no +masoy.no +måsøy.no +muosat.no +muosát.no +mandal.no +marker.no +marnardal.no +masfjorden.no +meland.no +meldal.no +melhus.no +meloy.no +meløy.no +meraker.no +meråker.no +moareke.no +moåreke.no +midsund.no +midtre-gauldal.no +modalen.no +modum.no +molde.no +moskenes.no +moss.no +mosvik.no +malselv.no +målselv.no +malatvuopmi.no +málatvuopmi.no +namdalseid.no +aejrie.no +namsos.no +namsskogan.no +naamesjevuemie.no +nååmesjevuemie.no +laakesvuemie.no +nannestad.no +narvik.no +narviika.no +naustdal.no +nedre-eiker.no +nes.akershus.no +nes.buskerud.no +nesna.no +nesodden.no +nesseby.no +unjarga.no +unjárga.no +nesset.no +nissedal.no +nittedal.no +nord-aurdal.no +nord-fron.no +nord-odal.no +norddal.no +nordkapp.no +davvenjarga.no +davvenjárga.no +nordre-land.no +nordreisa.no +raisa.no +ráisa.no +nore-og-uvdal.no +notodden.no +naroy.no +nærøy.no +notteroy.no +nøtterøy.no +odda.no +oksnes.no +øksnes.no +oppdal.no +oppegard.no +oppegård.no +orkdal.no +orland.no +ørland.no +orskog.no +ørskog.no +orsta.no +ørsta.no +os.hedmark.no +os.hordaland.no +osen.no +osteroy.no +osterøy.no +ostre-toten.no +østre-toten.no +overhalla.no +ovre-eiker.no +øvre-eiker.no +oyer.no +øyer.no +oygarden.no +øygarden.no +oystre-slidre.no +øystre-slidre.no +porsanger.no +porsangu.no +porsáŋgu.no +porsgrunn.no +radoy.no +radøy.no +rakkestad.no +rana.no +ruovat.no +randaberg.no +rauma.no +rendalen.no +rennebu.no +rennesoy.no +rennesøy.no +rindal.no +ringebu.no +ringerike.no +ringsaker.no +rissa.no +risor.no +risør.no +roan.no +rollag.no +rygge.no +ralingen.no +rælingen.no +rodoy.no +rødøy.no +romskog.no +rømskog.no +roros.no +røros.no +rost.no +røst.no +royken.no +røyken.no +royrvik.no +røyrvik.no +rade.no +råde.no +salangen.no +siellak.no +saltdal.no +salat.no +sálát.no +sálat.no +samnanger.no +sande.more-og-romsdal.no +sande.møre-og-romsdal.no +sande.vestfold.no +sandefjord.no +sandnes.no +sandoy.no +sandøy.no +sarpsborg.no +sauda.no +sauherad.no +sel.no +selbu.no +selje.no +seljord.no +sigdal.no +siljan.no +sirdal.no +skaun.no +skedsmo.no +ski.no +skien.no +skiptvet.no +skjervoy.no +skjervøy.no +skierva.no +skiervá.no +skjak.no +skjåk.no +skodje.no +skanland.no +skånland.no +skanit.no +skánit.no +smola.no +smøla.no +snillfjord.no +snasa.no +snåsa.no +snoasa.no +snaase.no +snåase.no +sogndal.no +sokndal.no +sola.no +solund.no +songdalen.no +sortland.no +spydeberg.no +stange.no +stavanger.no +steigen.no +steinkjer.no +stjordal.no +stjørdal.no +stokke.no +stor-elvdal.no +stord.no +stordal.no +storfjord.no +omasvuotna.no +strand.no +stranda.no +stryn.no +sula.no +suldal.no +sund.no +sunndal.no +surnadal.no +sveio.no +svelvik.no +sykkylven.no +sogne.no +søgne.no +somna.no +sømna.no +sondre-land.no +søndre-land.no +sor-aurdal.no +sør-aurdal.no +sor-fron.no +sør-fron.no +sor-odal.no +sør-odal.no +sor-varanger.no +sør-varanger.no +matta-varjjat.no +mátta-várjjat.no +sorfold.no +sørfold.no +sorreisa.no +sørreisa.no +sorum.no +sørum.no +tana.no +deatnu.no +time.no +tingvoll.no +tinn.no +tjeldsund.no +dielddanuorri.no +tjome.no +tjøme.no +tokke.no +tolga.no +torsken.no +tranoy.no +tranøy.no +tromso.no +tromsø.no +tromsa.no +romsa.no +trondheim.no +troandin.no +trysil.no +trana.no +træna.no +trogstad.no +trøgstad.no +tvedestrand.no +tydal.no +tynset.no +tysfjord.no +divtasvuodna.no +divttasvuotna.no +tysnes.no +tysvar.no +tysvær.no +tonsberg.no +tønsberg.no +ullensaker.no +ullensvang.no +ulvik.no +utsira.no +vadso.no +vadsø.no +cahcesuolo.no +čáhcesuolo.no +vaksdal.no +valle.no +vang.no +vanylven.no +vardo.no +vardø.no +varggat.no +várggát.no +vefsn.no +vaapste.no +vega.no +vegarshei.no +vegårshei.no +vennesla.no +verdal.no +verran.no +vestby.no +vestnes.no +vestre-slidre.no +vestre-toten.no +vestvagoy.no +vestvågøy.no +vevelstad.no +vik.no +vikna.no +vindafjord.no +volda.no +voss.no +varoy.no +værøy.no +vagan.no +vågan.no +voagat.no +vagsoy.no +vågsøy.no +vaga.no +vågå.no +valer.ostfold.no +våler.østfold.no +valer.hedmark.no +våler.hedmark.no + +// np : http://www.mos.com.np/register.html +*.np + +// nr : http://cenpac.net.nr/dns/index.html +// Confirmed by registry 2008-06-17 +nr +biz.nr +info.nr +gov.nr +edu.nr +org.nr +net.nr +com.nr + +// nu : http://en.wikipedia.org/wiki/.nu +nu + +// nz : http://en.wikipedia.org/wiki/.nz +// Confirmed by registry 2014-05-19 +nz +ac.nz +co.nz +cri.nz +geek.nz +gen.nz +govt.nz +health.nz +iwi.nz +kiwi.nz +maori.nz +mil.nz +māori.nz +net.nz +org.nz +parliament.nz +school.nz + +// om : http://en.wikipedia.org/wiki/.om +om +co.om +com.om +edu.om +gov.om +med.om +museum.om +net.om +org.om +pro.om + +// org : http://en.wikipedia.org/wiki/.org +org + +// pa : http://www.nic.pa/ +// Some additional second level "domains" resolve directly as hostnames, such as +// pannet.pa, so we add a rule for "pa". +pa +ac.pa +gob.pa +com.pa +org.pa +sld.pa +edu.pa +net.pa +ing.pa +abo.pa +med.pa +nom.pa + +// pe : https://www.nic.pe/InformeFinalComision.pdf +pe +edu.pe +gob.pe +nom.pe +mil.pe +org.pe +com.pe +net.pe + +// pf : http://www.gobin.info/domainname/formulaire-pf.pdf +pf +com.pf +org.pf +edu.pf + +// pg : http://en.wikipedia.org/wiki/.pg +*.pg + +// ph : http://www.domains.ph/FAQ2.asp +// Submitted by registry 2008-06-13 +ph +com.ph +net.ph +org.ph +gov.ph +edu.ph +ngo.ph +mil.ph +i.ph + +// pk : http://pk5.pknic.net.pk/pk5/msgNamepk.PK +pk +com.pk +net.pk +edu.pk +org.pk +fam.pk +biz.pk +web.pk +gov.pk +gob.pk +gok.pk +gon.pk +gop.pk +gos.pk +info.pk + +// pl http://www.dns.pl/english/index.html +// confirmed on 26.09.2014 from Bogna Tchórzewska +pl +com.pl +net.pl +org.pl +info.pl +waw.pl +gov.pl +// pl functional domains (http://www.dns.pl/english/index.html) +aid.pl +agro.pl +atm.pl +auto.pl +biz.pl +edu.pl +gmina.pl +gsm.pl +mail.pl +miasta.pl +media.pl +mil.pl +nieruchomosci.pl +nom.pl +pc.pl +powiat.pl +priv.pl +realestate.pl +rel.pl +sex.pl +shop.pl +sklep.pl +sos.pl +szkola.pl +targi.pl +tm.pl +tourism.pl +travel.pl +turystyka.pl +// Government domains (administred by ippt.gov.pl) +uw.gov.pl +um.gov.pl +ug.gov.pl +upow.gov.pl +starostwo.gov.pl +so.gov.pl +sr.gov.pl +po.gov.pl +pa.gov.pl +// pl regional domains (http://www.dns.pl/english/index.html) +augustow.pl +babia-gora.pl +bedzin.pl +beskidy.pl +bialowieza.pl +bialystok.pl +bielawa.pl +bieszczady.pl +boleslawiec.pl +bydgoszcz.pl +bytom.pl +cieszyn.pl +czeladz.pl +czest.pl +dlugoleka.pl +elblag.pl +elk.pl +glogow.pl +gniezno.pl +gorlice.pl +grajewo.pl +ilawa.pl +jaworzno.pl +jelenia-gora.pl +jgora.pl +kalisz.pl +kazimierz-dolny.pl +karpacz.pl +kartuzy.pl +kaszuby.pl +katowice.pl +kepno.pl +ketrzyn.pl +klodzko.pl +kobierzyce.pl +kolobrzeg.pl +konin.pl +konskowola.pl +kutno.pl +lapy.pl +lebork.pl +legnica.pl +lezajsk.pl +limanowa.pl +lomza.pl +lowicz.pl +lubin.pl +lukow.pl +malbork.pl +malopolska.pl +mazowsze.pl +mazury.pl +mielec.pl +mielno.pl +mragowo.pl +naklo.pl +nowaruda.pl +nysa.pl +olawa.pl +olecko.pl +olkusz.pl +olsztyn.pl +opoczno.pl +opole.pl +ostroda.pl +ostroleka.pl +ostrowiec.pl +ostrowwlkp.pl +pila.pl +pisz.pl +podhale.pl +podlasie.pl +polkowice.pl +pomorze.pl +pomorskie.pl +prochowice.pl +pruszkow.pl +przeworsk.pl +pulawy.pl +radom.pl +rawa-maz.pl +rybnik.pl +rzeszow.pl +sanok.pl +sejny.pl +slask.pl +slupsk.pl +sosnowiec.pl +stalowa-wola.pl +skoczow.pl +starachowice.pl +stargard.pl +suwalki.pl +swidnica.pl +swiebodzin.pl +swinoujscie.pl +szczecin.pl +szczytno.pl +tarnobrzeg.pl +tgory.pl +turek.pl +tychy.pl +ustka.pl +walbrzych.pl +warmia.pl +warszawa.pl +wegrow.pl +wielun.pl +wlocl.pl +wloclawek.pl +wodzislaw.pl +wolomin.pl +wroclaw.pl +zachpomor.pl +zagan.pl +zarow.pl +zgora.pl +zgorzelec.pl + +// pm : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +pm + +// pn : http://www.government.pn/PnRegistry/policies.htm +pn +gov.pn +co.pn +org.pn +edu.pn +net.pn + +// post : http://en.wikipedia.org/wiki/.post +post + +// pr : http://www.nic.pr/index.asp?f=1 +pr +com.pr +net.pr +org.pr +gov.pr +edu.pr +isla.pr +pro.pr +biz.pr +info.pr +name.pr +// these aren't mentioned on nic.pr, but on http://en.wikipedia.org/wiki/.pr +est.pr +prof.pr +ac.pr + +// pro : http://www.nic.pro/support_faq.htm +pro +aca.pro +bar.pro +cpa.pro +jur.pro +law.pro +med.pro +eng.pro + +// ps : http://en.wikipedia.org/wiki/.ps +// http://www.nic.ps/registration/policy.html#reg +ps +edu.ps +gov.ps +sec.ps +plo.ps +com.ps +org.ps +net.ps + +// pt : http://online.dns.pt/dns/start_dns +pt +net.pt +gov.pt +org.pt +edu.pt +int.pt +publ.pt +com.pt +nome.pt + +// pw : http://en.wikipedia.org/wiki/.pw +pw +co.pw +ne.pw +or.pw +ed.pw +go.pw +belau.pw + +// py : http://www.nic.py/pautas.html#seccion_9 +// Confirmed by registry 2012-10-03 +py +com.py +coop.py +edu.py +gov.py +mil.py +net.py +org.py + +// qa : http://domains.qa/en/ +qa +com.qa +edu.qa +gov.qa +mil.qa +name.qa +net.qa +org.qa +sch.qa + +// re : http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs +re +com.re +asso.re +nom.re + +// ro : http://www.rotld.ro/ +ro +com.ro +org.ro +tm.ro +nt.ro +nom.ro +info.ro +rec.ro +arts.ro +firm.ro +store.ro +www.ro + +// rs : http://en.wikipedia.org/wiki/.rs +rs +co.rs +org.rs +edu.rs +ac.rs +gov.rs +in.rs + +// ru : http://www.cctld.ru/ru/docs/aktiv_8.php +// Industry domains +ru +ac.ru +com.ru +edu.ru +int.ru +net.ru +org.ru +pp.ru +// Geographical domains +adygeya.ru +altai.ru +amur.ru +arkhangelsk.ru +astrakhan.ru +bashkiria.ru +belgorod.ru +bir.ru +bryansk.ru +buryatia.ru +cbg.ru +chel.ru +chelyabinsk.ru +chita.ru +chukotka.ru +chuvashia.ru +dagestan.ru +dudinka.ru +e-burg.ru +grozny.ru +irkutsk.ru +ivanovo.ru +izhevsk.ru +jar.ru +joshkar-ola.ru +kalmykia.ru +kaluga.ru +kamchatka.ru +karelia.ru +kazan.ru +kchr.ru +kemerovo.ru +khabarovsk.ru +khakassia.ru +khv.ru +kirov.ru +koenig.ru +komi.ru +kostroma.ru +krasnoyarsk.ru +kuban.ru +kurgan.ru +kursk.ru +lipetsk.ru +magadan.ru +mari.ru +mari-el.ru +marine.ru +mordovia.ru +// mosreg.ru Bug 1090800 - removed at request of Aleksey Konstantinov +msk.ru +murmansk.ru +nalchik.ru +nnov.ru +nov.ru +novosibirsk.ru +nsk.ru +omsk.ru +orenburg.ru +oryol.ru +palana.ru +penza.ru +perm.ru +ptz.ru +rnd.ru +ryazan.ru +sakhalin.ru +samara.ru +saratov.ru +simbirsk.ru +smolensk.ru +spb.ru +stavropol.ru +stv.ru +surgut.ru +tambov.ru +tatarstan.ru +tom.ru +tomsk.ru +tsaritsyn.ru +tsk.ru +tula.ru +tuva.ru +tver.ru +tyumen.ru +udm.ru +udmurtia.ru +ulan-ude.ru +vladikavkaz.ru +vladimir.ru +vladivostok.ru +volgograd.ru +vologda.ru +voronezh.ru +vrn.ru +vyatka.ru +yakutia.ru +yamal.ru +yaroslavl.ru +yekaterinburg.ru +yuzhno-sakhalinsk.ru +// More geographical domains +amursk.ru +baikal.ru +cmw.ru +fareast.ru +jamal.ru +kms.ru +k-uralsk.ru +kustanai.ru +kuzbass.ru +magnitka.ru +mytis.ru +nakhodka.ru +nkz.ru +norilsk.ru +oskol.ru +pyatigorsk.ru +rubtsovsk.ru +snz.ru +syzran.ru +vdonsk.ru +zgrad.ru +// State domains +gov.ru +mil.ru +// Technical domains +test.ru + +// rw : http://www.nic.rw/cgi-bin/policy.pl +rw +gov.rw +net.rw +edu.rw +ac.rw +com.rw +co.rw +int.rw +mil.rw +gouv.rw + +// sa : http://www.nic.net.sa/ +sa +com.sa +net.sa +org.sa +gov.sa +med.sa +pub.sa +edu.sa +sch.sa + +// sb : http://www.sbnic.net.sb/ +// Submitted by registry 2008-06-08 +sb +com.sb +edu.sb +gov.sb +net.sb +org.sb + +// sc : http://www.nic.sc/ +sc +com.sc +gov.sc +net.sc +org.sc +edu.sc + +// sd : http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm +// Submitted by registry 2008-06-17 +sd +com.sd +net.sd +org.sd +edu.sd +med.sd +tv.sd +gov.sd +info.sd + +// se : http://en.wikipedia.org/wiki/.se +// Submitted by registry 2014-03-18 +se +a.se +ac.se +b.se +bd.se +brand.se +c.se +d.se +e.se +f.se +fh.se +fhsk.se +fhv.se +g.se +h.se +i.se +k.se +komforb.se +kommunalforbund.se +komvux.se +l.se +lanbib.se +m.se +n.se +naturbruksgymn.se +o.se +org.se +p.se +parti.se +pp.se +press.se +r.se +s.se +t.se +tm.se +u.se +w.se +x.se +y.se +z.se + +// sg : http://www.nic.net.sg/page/registration-policies-procedures-and-guidelines +sg +com.sg +net.sg +org.sg +gov.sg +edu.sg +per.sg + +// sh : http://www.nic.sh/registrar.html +sh +com.sh +net.sh +gov.sh +org.sh +mil.sh + +// si : http://en.wikipedia.org/wiki/.si +si + +// sj : No registrations at this time. +// Submitted by registry 2008-06-16 +sj + +// sk : http://en.wikipedia.org/wiki/.sk +// list of 2nd level domains ? +sk + +// sl : http://www.nic.sl +// Submitted by registry 2008-06-12 +sl +com.sl +net.sl +edu.sl +gov.sl +org.sl + +// sm : http://en.wikipedia.org/wiki/.sm +sm + +// sn : http://en.wikipedia.org/wiki/.sn +sn +art.sn +com.sn +edu.sn +gouv.sn +org.sn +perso.sn +univ.sn + +// so : http://www.soregistry.com/ +so +com.so +net.so +org.so + +// sr : http://en.wikipedia.org/wiki/.sr +sr + +// st : http://www.nic.st/html/policyrules/ +st +co.st +com.st +consulado.st +edu.st +embaixada.st +gov.st +mil.st +net.st +org.st +principe.st +saotome.st +store.st + +// su : http://en.wikipedia.org/wiki/.su +su + +// sv : http://www.svnet.org.sv/niveldos.pdf +sv +com.sv +edu.sv +gob.sv +org.sv +red.sv + +// sx : http://en.wikipedia.org/wiki/.sx +// Confirmed by registry 2012-05-31 +sx +gov.sx + +// sy : http://en.wikipedia.org/wiki/.sy +// see also: http://www.gobin.info/domainname/sy.doc +sy +edu.sy +gov.sy +net.sy +mil.sy +com.sy +org.sy + +// sz : http://en.wikipedia.org/wiki/.sz +// http://www.sispa.org.sz/ +sz +co.sz +ac.sz +org.sz + +// tc : http://en.wikipedia.org/wiki/.tc +tc + +// td : http://en.wikipedia.org/wiki/.td +td + +// tel: http://en.wikipedia.org/wiki/.tel +// http://www.telnic.org/ +tel + +// tf : http://en.wikipedia.org/wiki/.tf +tf + +// tg : http://en.wikipedia.org/wiki/.tg +// http://www.nic.tg/ +tg + +// th : http://en.wikipedia.org/wiki/.th +// Submitted by registry 2008-06-17 +th +ac.th +co.th +go.th +in.th +mi.th +net.th +or.th + +// tj : http://www.nic.tj/policy.html +tj +ac.tj +biz.tj +co.tj +com.tj +edu.tj +go.tj +gov.tj +int.tj +mil.tj +name.tj +net.tj +nic.tj +org.tj +test.tj +web.tj + +// tk : http://en.wikipedia.org/wiki/.tk +tk + +// tl : http://en.wikipedia.org/wiki/.tl +tl +gov.tl + +// tm : http://www.nic.tm/local.html +tm +com.tm +co.tm +org.tm +net.tm +nom.tm +gov.tm +mil.tm +edu.tm + +// tn : http://en.wikipedia.org/wiki/.tn +// http://whois.ati.tn/ +tn +com.tn +ens.tn +fin.tn +gov.tn +ind.tn +intl.tn +nat.tn +net.tn +org.tn +info.tn +perso.tn +tourism.tn +edunet.tn +rnrt.tn +rns.tn +rnu.tn +mincom.tn +agrinet.tn +defense.tn +turen.tn + +// to : http://en.wikipedia.org/wiki/.to +// Submitted by registry 2008-06-17 +to +com.to +gov.to +net.to +org.to +edu.to +mil.to + +// tp : No registrations at this time. +// Submitted by Ryan Sleevi 2014-01-03 +tp + +// subTLDs: https://www.nic.tr/forms/eng/policies.pdf +// and: https://www.nic.tr/forms/politikalar.pdf +// Submitted by 2014-07-19 +tr +com.tr +info.tr +biz.tr +net.tr +org.tr +web.tr +gen.tr +tv.tr +av.tr +dr.tr +bbs.tr +name.tr +tel.tr +gov.tr +bel.tr +pol.tr +mil.tr +k12.tr +edu.tr +kep.tr + +// Used by Northern Cyprus +nc.tr + +// Used by government agencies of Northern Cyprus +gov.nc.tr + +// travel : http://en.wikipedia.org/wiki/.travel +travel + +// tt : http://www.nic.tt/ +tt +co.tt +com.tt +org.tt +net.tt +biz.tt +info.tt +pro.tt +int.tt +coop.tt +jobs.tt +mobi.tt +travel.tt +museum.tt +aero.tt +name.tt +gov.tt +edu.tt + +// tv : http://en.wikipedia.org/wiki/.tv +// Not listing any 2LDs as reserved since none seem to exist in practice, +// Wikipedia notwithstanding. +tv + +// tw : http://en.wikipedia.org/wiki/.tw +tw +edu.tw +gov.tw +mil.tw +com.tw +net.tw +org.tw +idv.tw +game.tw +ebiz.tw +club.tw +網路.tw +組織.tw +商業.tw + +// tz : http://www.tznic.or.tz/index.php/domains +// Confirmed by registry 2013-01-22 +tz +ac.tz +co.tz +go.tz +hotel.tz +info.tz +me.tz +mil.tz +mobi.tz +ne.tz +or.tz +sc.tz +tv.tz + +// ua : https://hostmaster.ua/policy/?ua +// Submitted by registry 2012-04-27 +ua +// ua 2LD +com.ua +edu.ua +gov.ua +in.ua +net.ua +org.ua +// ua geographic names +// https://hostmaster.ua/2ld/ +cherkassy.ua +cherkasy.ua +chernigov.ua +chernihiv.ua +chernivtsi.ua +chernovtsy.ua +ck.ua +cn.ua +cr.ua +crimea.ua +cv.ua +dn.ua +dnepropetrovsk.ua +dnipropetrovsk.ua +dominic.ua +donetsk.ua +dp.ua +if.ua +ivano-frankivsk.ua +kh.ua +kharkiv.ua +kharkov.ua +kherson.ua +khmelnitskiy.ua +khmelnytskyi.ua +kiev.ua +kirovograd.ua +km.ua +kr.ua +krym.ua +ks.ua +kv.ua +kyiv.ua +lg.ua +lt.ua +lugansk.ua +lutsk.ua +lv.ua +lviv.ua +mk.ua +mykolaiv.ua +nikolaev.ua +od.ua +odesa.ua +odessa.ua +pl.ua +poltava.ua +rivne.ua +rovno.ua +rv.ua +sb.ua +sebastopol.ua +sevastopol.ua +sm.ua +sumy.ua +te.ua +ternopil.ua +uz.ua +uzhgorod.ua +vinnica.ua +vinnytsia.ua +vn.ua +volyn.ua +yalta.ua +zaporizhzhe.ua +zaporizhzhia.ua +zhitomir.ua +zhytomyr.ua +zp.ua +zt.ua + +// Private registries in .ua +co.ua +pp.ua + +// ug : https://www.registry.co.ug/ +ug +co.ug +or.ug +ac.ug +sc.ug +go.ug +ne.ug +com.ug +org.ug + +// uk : http://en.wikipedia.org/wiki/.uk +// Submitted by registry +uk +ac.uk +co.uk +gov.uk +ltd.uk +me.uk +net.uk +nhs.uk +org.uk +plc.uk +police.uk +*.sch.uk + +// us : http://en.wikipedia.org/wiki/.us +us +dni.us +fed.us +isa.us +kids.us +nsn.us +// us geographic names +ak.us +al.us +ar.us +as.us +az.us +ca.us +co.us +ct.us +dc.us +de.us +fl.us +ga.us +gu.us +hi.us +ia.us +id.us +il.us +in.us +ks.us +ky.us +la.us +ma.us +md.us +me.us +mi.us +mn.us +mo.us +ms.us +mt.us +nc.us +nd.us +ne.us +nh.us +nj.us +nm.us +nv.us +ny.us +oh.us +ok.us +or.us +pa.us +pr.us +ri.us +sc.us +sd.us +tn.us +tx.us +ut.us +vi.us +vt.us +va.us +wa.us +wi.us +wv.us +wy.us +// The registrar notes several more specific domains available in each state, +// such as state.*.us, dst.*.us, etc., but resolution of these is somewhat +// haphazard; in some states these domains resolve as addresses, while in others +// only subdomains are available, or even nothing at all. We include the +// most common ones where it's clear that different sites are different +// entities. +k12.ak.us +k12.al.us +k12.ar.us +k12.as.us +k12.az.us +k12.ca.us +k12.co.us +k12.ct.us +k12.dc.us +k12.de.us +k12.fl.us +k12.ga.us +k12.gu.us +// k12.hi.us Bug 614565 - Hawaii has a state-wide DOE login +k12.ia.us +k12.id.us +k12.il.us +k12.in.us +k12.ks.us +k12.ky.us +k12.la.us +k12.ma.us +k12.md.us +k12.me.us +k12.mi.us +k12.mn.us +k12.mo.us +k12.ms.us +k12.mt.us +k12.nc.us +// k12.nd.us Bug 1028347 - Removed at request of Travis Rosso +k12.ne.us +k12.nh.us +k12.nj.us +k12.nm.us +k12.nv.us +k12.ny.us +k12.oh.us +k12.ok.us +k12.or.us +k12.pa.us +k12.pr.us +k12.ri.us +k12.sc.us +// k12.sd.us Bug 934131 - Removed at request of James Booze +k12.tn.us +k12.tx.us +k12.ut.us +k12.vi.us +k12.vt.us +k12.va.us +k12.wa.us +k12.wi.us +// k12.wv.us Bug 947705 - Removed at request of Verne Britton +k12.wy.us +cc.ak.us +cc.al.us +cc.ar.us +cc.as.us +cc.az.us +cc.ca.us +cc.co.us +cc.ct.us +cc.dc.us +cc.de.us +cc.fl.us +cc.ga.us +cc.gu.us +cc.hi.us +cc.ia.us +cc.id.us +cc.il.us +cc.in.us +cc.ks.us +cc.ky.us +cc.la.us +cc.ma.us +cc.md.us +cc.me.us +cc.mi.us +cc.mn.us +cc.mo.us +cc.ms.us +cc.mt.us +cc.nc.us +cc.nd.us +cc.ne.us +cc.nh.us +cc.nj.us +cc.nm.us +cc.nv.us +cc.ny.us +cc.oh.us +cc.ok.us +cc.or.us +cc.pa.us +cc.pr.us +cc.ri.us +cc.sc.us +cc.sd.us +cc.tn.us +cc.tx.us +cc.ut.us +cc.vi.us +cc.vt.us +cc.va.us +cc.wa.us +cc.wi.us +cc.wv.us +cc.wy.us +lib.ak.us +lib.al.us +lib.ar.us +lib.as.us +lib.az.us +lib.ca.us +lib.co.us +lib.ct.us +lib.dc.us +lib.de.us +lib.fl.us +lib.ga.us +lib.gu.us +lib.hi.us +lib.ia.us +lib.id.us +lib.il.us +lib.in.us +lib.ks.us +lib.ky.us +lib.la.us +lib.ma.us +lib.md.us +lib.me.us +lib.mi.us +lib.mn.us +lib.mo.us +lib.ms.us +lib.mt.us +lib.nc.us +lib.nd.us +lib.ne.us +lib.nh.us +lib.nj.us +lib.nm.us +lib.nv.us +lib.ny.us +lib.oh.us +lib.ok.us +lib.or.us +lib.pa.us +lib.pr.us +lib.ri.us +lib.sc.us +lib.sd.us +lib.tn.us +lib.tx.us +lib.ut.us +lib.vi.us +lib.vt.us +lib.va.us +lib.wa.us +lib.wi.us +// lib.wv.us Bug 941670 - Removed at request of Larry W Arnold +lib.wy.us +// k12.ma.us contains school districts in Massachusetts. The 4LDs are +// managed indepedently except for private (PVT), charter (CHTR) and +// parochial (PAROCH) schools. Those are delegated dorectly to the +// 5LD operators. +pvt.k12.ma.us +chtr.k12.ma.us +paroch.k12.ma.us + +// uy : http://www.nic.org.uy/ +uy +com.uy +edu.uy +gub.uy +mil.uy +net.uy +org.uy + +// uz : http://www.reg.uz/ +uz +co.uz +com.uz +net.uz +org.uz + +// va : http://en.wikipedia.org/wiki/.va +va + +// vc : http://en.wikipedia.org/wiki/.vc +// Submitted by registry 2008-06-13 +vc +com.vc +net.vc +org.vc +gov.vc +mil.vc +edu.vc + +// ve : https://registro.nic.ve/ +// Confirmed by registry 2012-10-04 +// Updated 2014-05-20 - Bug 940478 +ve +arts.ve +co.ve +com.ve +e12.ve +edu.ve +firm.ve +gob.ve +gov.ve +info.ve +int.ve +mil.ve +net.ve +org.ve +rec.ve +store.ve +tec.ve +web.ve + +// vg : http://en.wikipedia.org/wiki/.vg +vg + +// vi : http://www.nic.vi/newdomainform.htm +// http://www.nic.vi/Domain_Rules/body_domain_rules.html indicates some other +// TLDs are "reserved", such as edu.vi and gov.vi, but doesn't actually say they +// are available for registration (which they do not seem to be). +vi +co.vi +com.vi +k12.vi +net.vi +org.vi + +// vn : https://www.dot.vn/vnnic/vnnic/domainregistration.jsp +vn +com.vn +net.vn +org.vn +edu.vn +gov.vn +int.vn +ac.vn +biz.vn +info.vn +name.vn +pro.vn +health.vn + +// vu : http://en.wikipedia.org/wiki/.vu +// http://www.vunic.vu/ +vu +com.vu +edu.vu +net.vu +org.vu + +// wf : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +wf + +// ws : http://en.wikipedia.org/wiki/.ws +// http://samoanic.ws/index.dhtml +ws +com.ws +net.ws +org.ws +gov.ws +edu.ws + +// yt : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +yt + +// IDN ccTLDs +// Please sort by ISO 3166 ccTLD, then punicode string +// when submitting patches and follow this format: +// ("" ) : +// [optional sponsoring org] +// + +// xn--mgbaam7a8h ("Emerat" Arabic) : AE +// http://nic.ae/english/arabicdomain/rules.jsp +امارات + +// xn--54b7fta0cc ("Bangla" Bangla) : BD +বাংলা + +// xn--fiqs8s ("China" Chinese-Han-Simplified <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中国 + +// xn--fiqz9s ("China" Chinese-Han-Traditional <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中國 + +// xn--lgbbat1ad8j ("Algeria / Al Jazair" Arabic) : DZ +الجزائر + +// xn--wgbh1c ("Egypt" Arabic .masr) : EG +// http://www.dotmasr.eg/ +مصر + +// xn--node ("ge" Georgian (Mkhedruli)) : GE +გე + +// xn--j6w193g ("Hong Kong" Chinese-Han) : HK +// https://www2.hkirc.hk/register/rules.jsp +香港 + +// xn--h2brj9c ("Bharat" Devanagari) : IN +// India +भारत + +// xn--mgbbh1a71e ("Bharat" Arabic) : IN +// India +بھارت + +// xn--fpcrj9c3d ("Bharat" Telugu) : IN +// India +భారత్ + +// xn--gecrj9c ("Bharat" Gujarati) : IN +// India +ભારત + +// xn--s9brj9c ("Bharat" Gurmukhi) : IN +// India +ਭਾਰਤ + +// xn--45brj9c ("Bharat" Bengali) : IN +// India +ভারত + +// xn--xkc2dl3a5ee0h ("India" Tamil) : IN +// India +இந்தியா + +// xn--mgba3a4f16a ("Iran" Persian) : IR +ایران + +// xn--mgba3a4fra ("Iran" Arabic) : IR +ايران + +// xn--mgbayh7gpa ("al-Ordon" Arabic) : JO +// National Information Technology Center (NITC) +// Royal Scientific Society, Al-Jubeiha +الاردن + +// xn--3e0b707e ("Republic of Korea" Hangul) : KR +한국 + +// xn--80ao21a ("Kaz" Kazakh) : KZ +қаз + +// xn--fzc2c9e2c ("Lanka" Sinhalese-Sinhala) : LK +// http://nic.lk +ලංකා + +// xn--xkc2al3hye2a ("Ilangai" Tamil) : LK +// http://nic.lk +இலங்கை + +// xn--mgbc0a9azcg ("Morocco / al-Maghrib" Arabic) : MA +المغرب + +// xn--l1acc ("mon" Mongolian) : MN +мон + +// xn--mgbx4cd0ab ("Malaysia" Malay) : MY +مليسيا + +// xn--mgb9awbf ("Oman" Arabic) : OM +عمان + +// xn--ygbi2ammx ("Falasteen" Arabic) : PS +// The Palestinian National Internet Naming Authority (PNINA) +// http://www.pnina.ps +فلسطين + +// xn--90a3ac ("srb" Cyrillic) : RS +// http://www.rnids.rs/en/the-.срб-domain +срб +пр.срб +орг.срб +обр.срб +од.срб +упр.срб +ак.срб + +// xn--p1ai ("rf" Russian-Cyrillic) : RU +// http://www.cctld.ru/en/docs/rulesrf.php +рф + +// xn--wgbl6a ("Qatar" Arabic) : QA +// http://www.ict.gov.qa/ +قطر + +// xn--mgberp4a5d4ar ("AlSaudiah" Arabic) : SA +// http://www.nic.net.sa/ +السعودية + +// xn--mgberp4a5d4a87g ("AlSaudiah" Arabic) variant : SA +السعودیة + +// xn--mgbqly7c0a67fbc ("AlSaudiah" Arabic) variant : SA +السعودیۃ + +// xn--mgbqly7cvafr ("AlSaudiah" Arabic) variant : SA +السعوديه + +// xn--ogbpf8fl ("Syria" Arabic) : SY +سورية + +// xn--mgbtf8fl ("Syria" Arabic) variant : SY +سوريا + +// xn--yfro4i67o Singapore ("Singapore" Chinese-Han) : SG +新加坡 + +// xn--clchc0ea0b2g2a9gcd ("Singapore" Tamil) : SG +சிங்கப்பூர் + +// xn--o3cw4h ("Thai" Thai) : TH +// http://www.thnic.co.th +ไทย + +// xn--pgbs0dh ("Tunis") : TN +// http://nic.tn +تونس + +// xn--kpry57d ("Taiwan" Chinese-Han-Traditional) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台灣 + +// xn--kprw13d ("Taiwan" Chinese-Han-Simplified) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台湾 + +// xn--nnx388a ("Taiwan") variant : TW +臺灣 + +// xn--j1amh ("ukr" Cyrillic) : UA +укр + +// xn--mgb2ddes ("AlYemen" Arabic) : YE +اليمن + +// xxx : http://icmregistry.com +xxx + +// ye : http://www.y.net.ye/services/domain_name.htm +*.ye + +// za : http://www.zadna.org.za/slds.html +*.za + +// zm : http://en.wikipedia.org/wiki/.zm +*.zm + +// zw : http://en.wikipedia.org/wiki/.zw +*.zw + + +// List of new gTLDs imported from https://newgtlds.icann.org/newgtlds.csv on 2015-01-27T00:02:07Z + +// abb : 2014-10-24 ABB Ltd +abb + +// abbott : 2014-07-24 Abbott Laboratories, Inc. +abbott + +// abogado : 2014-04-24 Top Level Domain Holdings Limited +abogado + +// academy : 2013-11-07 Half Oaks, LLC +academy + +// accenture : 2014-08-15 Accenture plc +accenture + +// accountant : 2014-11-20 dot Accountant Limited +accountant + +// accountants : 2014-03-20 Knob Town, LLC +accountants + +// aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG +aco + +// active : 2014-05-01 The Active Network, Inc +active + +// actor : 2013-12-12 United TLD Holdco Ltd. +actor + +// ads : 2014-12-04 Charleston Road Registry Inc. +ads + +// adult : 2014-10-16 ICM Registry AD LLC +adult + +// afl : 2014-10-02 Australian Football League +afl + +// africa : 2014-03-24 ZA Central Registry NPC trading as Registry.Africa +africa + +// agency : 2013-11-14 Steel Falls, LLC +agency + +// aig : 2014-12-18 American International Group, Inc. +aig + +// airforce : 2014-03-06 United TLD Holdco Ltd. +airforce + +// airtel : 2014-10-24 Bharti Airtel Limited +airtel + +// alibaba : 2015-01-15 Alibaba Group Holding Limited +alibaba + +// alipay : 2015-01-15 Alibaba Group Holding Limited +alipay + +// allfinanz : 2014-07-03 Allfinanz Deutsche Vermögensberatung Aktiengesellschaft +allfinanz + +// alsace : 2014-07-02 REGION D ALSACE +alsace + +// amsterdam : 2014-07-24 Gemeente Amsterdam +amsterdam + +// analytics : 2014-12-18 Campus IP LLC +analytics + +// android : 2014-08-07 Charleston Road Registry Inc. +android + +// anquan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +anquan + +// apartments : 2014-12-11 June Maple, LLC +apartments + +// aquarelle : 2014-07-24 Aquarelle.com +aquarelle + +// aramco : 2014-11-20 Aramco Services Company +aramco + +// archi : 2014-02-06 STARTING DOT LIMITED +archi + +// army : 2014-03-06 United TLD Holdco Ltd. +army + +// arte : 2014-12-11 Association Relative à la Télévision Européenne G.E.I.E. +arte + +// associates : 2014-03-06 Baxter Hill, LLC +associates + +// attorney : 2014-03-20 +attorney + +// auction : 2014-03-20 +auction + +// audio : 2014-03-20 Uniregistry, Corp. +audio + +// author : 2014-12-18 Amazon EU S.à r.l. +author + +// auto : 2014-11-13 Uniregistry, Corp. +auto + +// autos : 2014-01-09 DERAutos, LLC +autos + +// avianca : 2015-01-08 Aerovias del Continente Americano S.A. Avianca +avianca + +// axa : 2013-12-19 AXA SA +axa + +// azure : 2014-12-18 Microsoft Corporation +azure + +// baidu : 2015-01-08 Baidu, Inc. +baidu + +// band : 2014-06-12 +band + +// bank : 2014-09-25 fTLD Registry Services LLC +bank + +// bar : 2013-12-12 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +bar + +// barcelona : 2014-07-24 Municipi de Barcelona +barcelona + +// barclaycard : 2014-11-20 Barclays Bank PLC +barclaycard + +// barclays : 2014-11-20 Barclays Bank PLC +barclays + +// bargains : 2013-11-14 Half Hallow, LLC +bargains + +// bauhaus : 2014-04-17 Werkhaus GmbH +bauhaus + +// bayern : 2014-01-23 Bayern Connect GmbH +bayern + +// bbc : 2014-12-18 British Broadcasting Corporation +bbc + +// bbva : 2014-10-02 BANCO BILBAO VIZCAYA ARGENTARIA, S.A. +bbva + +// bcn : 2014-07-24 Municipi de Barcelona +bcn + +// beer : 2014-01-09 Top Level Domain Holdings Limited +beer + +// bentley : 2014-12-18 Bentley Motors Limited +bentley + +// berlin : 2013-10-31 dotBERLIN GmbH & Co. KG +berlin + +// best : 2013-12-19 BestTLD Pty Ltd +best + +// bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited +bharti + +// bible : 2014-06-19 American Bible Society +bible + +// bid : 2013-12-19 dot Bid Limited +bid + +// bike : 2013-08-27 Grand Hollow, LLC +bike + +// bing : 2014-12-18 Microsoft Corporation +bing + +// bingo : 2014-12-04 Sand Cedar, LLC +bingo + +// bio : 2014-03-06 STARTING DOT LIMITED +bio + +// black : 2014-01-16 Afilias Limited +black + +// blackfriday : 2014-01-16 Uniregistry, Corp. +blackfriday + +// bloomberg : 2014-07-17 Bloomberg IP Holdings LLC +bloomberg + +// blue : 2013-11-07 Afilias Limited +blue + +// bms : 2014-10-30 Bristol-Myers Squibb Company +bms + +// bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +bmw + +// bnl : 2014-07-24 Banca Nazionale del Lavoro +bnl + +// bnpparibas : 2014-05-29 BNP Paribas +bnpparibas + +// boats : 2014-12-04 DERBoats, LLC +boats + +// bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +bom + +// bond : 2014-06-05 Bond University Limited +bond + +// boo : 2014-01-30 Charleston Road Registry Inc. +boo + +// boots : 2015-01-08 THE BOOTS COMPANY PLC +boots + +// bot : 2014-12-18 Amazon EU S.à r.l. +bot + +// boutique : 2013-11-14 Over Galley, LLC +boutique + +// bradesco : 2014-12-18 Banco Bradesco S.A. +bradesco + +// bridgestone : 2014-12-18 Bridgestone Corporation +bridgestone + +// broadway : 2014-12-22 Celebrate Broadway, Inc. +broadway + +// broker : 2014-12-11 IG Group Holdings PLC +broker + +// brussels : 2014-02-06 DNS.be vzw +brussels + +// budapest : 2013-11-21 Top Level Domain Holdings Limited +budapest + +// build : 2013-11-07 Plan Bee LLC +build + +// builders : 2013-11-07 Atomic Madison, LLC +builders + +// business : 2013-11-07 Spring Cross, LLC +business + +// buy : 2014-12-18 Amazon EU S.à r.l. +buy + +// buzz : 2013-10-02 DOTSTRATEGY CO. +buzz + +// bzh : 2014-02-27 Association www.bzh +bzh + +// cab : 2013-10-24 Half Sunset, LLC +cab + +// cal : 2014-07-24 Charleston Road Registry Inc. +cal + +// call : 2014-12-18 Amazon EU S.à r.l. +call + +// camera : 2013-08-27 Atomic Maple, LLC +camera + +// camp : 2013-11-07 Delta Dynamite, LLC +camp + +// cancerresearch : 2014-05-15 Australian Cancer Research Foundation +cancerresearch + +// canon : 2014-09-12 Canon Inc. +canon + +// capetown : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +capetown + +// capital : 2014-03-06 Delta Mill, LLC +capital + +// car : 2015-01-22 Charleston Road Registry Inc. +car + +// caravan : 2013-12-12 Caravan International, Inc. +caravan + +// cards : 2013-12-05 Foggy Hollow, LLC +cards + +// care : 2014-03-06 Goose Cross +care + +// career : 2013-10-09 dotCareer LLC +career + +// careers : 2013-10-02 Wild Corner, LLC +careers + +// cars : 2014-11-13 Uniregistry, Corp. +cars + +// cartier : 2014-06-23 Richemont DNS Inc. +cartier + +// casa : 2013-11-21 Top Level Domain Holdings Limited +casa + +// cash : 2014-03-06 Delta Lake, LLC +cash + +// casino : 2014-12-18 Binky Sky, LLC +casino + +// catering : 2013-12-05 New Falls. LLC +catering + +// cba : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +cba + +// cbn : 2014-08-22 The Christian Broadcasting Network, Inc. +cbn + +// center : 2013-11-07 Tin Mill, LLC +center + +// ceo : 2013-11-07 CEOTLD Pty Ltd +ceo + +// cern : 2014-06-05 European Organization for Nuclear Research (\ +cern + +// cfa : 2014-08-28 CFA Institute +cfa + +// cfd : 2014-12-11 IG Group Holdings PLC +cfd + +// channel : 2014-05-08 Charleston Road Registry Inc. +channel + +// chat : 2014-12-04 Sand Fields, LLC +chat + +// cheap : 2013-11-14 Sand Cover, LLC +cheap + +// chloe : 2014-10-16 Richemont DNS Inc. +chloe + +// christmas : 2013-11-21 Uniregistry, Corp. +christmas + +// chrome : 2014-07-24 Charleston Road Registry Inc. +chrome + +// church : 2014-02-06 Holly Fileds, LLC +church + +// circle : 2014-12-18 Amazon EU S.à r.l. +circle + +// cisco : 2014-12-22 Cisco Technology, Inc. +cisco + +// citic : 2014-01-09 CITIC Group Corporation +citic + +// city : 2014-05-29 Snow Sky, LLC +city + +// cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc. +cityeats + +// claims : 2014-03-20 Black Corner, LLC +claims + +// cleaning : 2013-12-05 Fox Shadow, LLC +cleaning + +// click : 2014-06-05 Uniregistry, Corp. +click + +// clinic : 2014-03-20 Goose Park, LLC +clinic + +// clothing : 2013-08-27 Steel Lake, LLC +clothing + +// club : 2013-11-08 .CLUB DOMAINS, LLC +club + +// coach : 2014-10-09 Koko Island, LLC +coach + +// codes : 2013-10-31 Puff Willow, LLC +codes + +// coffee : 2013-10-17 Trixy Cover, LLC +coffee + +// college : 2014-01-16 XYZ.COM LLC +college + +// cologne : 2014-02-05 NetCologne Gesellschaft für Telekommunikation mbH +cologne + +// commbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +commbank + +// community : 2013-12-05 Fox Orchard, LLC +community + +// company : 2013-11-07 Silver Avenue, LLC +company + +// computer : 2013-10-24 Pine Mill, LLC +computer + +// comsec : 2015-01-08 VeriSign, Inc. +comsec + +// condos : 2013-12-05 Pine House, LLC +condos + +// construction : 2013-09-16 Fox Dynamite, LLC +construction + +// consulting : 2013-12-05 +consulting + +// contact : 2015-01-08 Top Level Spectrum, Inc. +contact + +// contractors : 2013-09-10 Magic Woods, LLC +contractors + +// cooking : 2013-11-21 Top Level Domain Holdings Limited +cooking + +// cool : 2013-11-14 Koko Lake, LLC +cool + +// corsica : 2014-09-25 Collectivité Territoriale de Corse +corsica + +// country : 2013-12-19 Top Level Domain Holdings Limited +country + +// courses : 2014-12-04 OPEN UNIVERSITIES AUSTRALIA PTY LTD +courses + +// credit : 2014-03-20 Snow Shadow, LLC +credit + +// creditcard : 2014-03-20 Binky Frostbite, LLC +creditcard + +// creditunion : 2015-01-22 CUNA Performance Resources, LLC +creditunion + +// cricket : 2014-10-09 dot Cricket Limited +cricket + +// crown : 2014-10-24 Crown Equipment Corporation +crown + +// crs : 2014-04-03 Federated Co-operatives Limited +crs + +// cruises : 2013-12-05 Spring Way, LLC +cruises + +// csc : 2014-09-25 Alliance-One Services, Inc. +csc + +// cuisinella : 2014-04-03 SALM S.A.S. +cuisinella + +// cymru : 2014-05-08 Nominet UK +cymru + +// cyou : 2015-01-22 Beijing Gamease Age Digital Technology Co., Ltd. +cyou + +// dabur : 2014-02-06 Dabur India Limited +dabur + +// dad : 2014-01-23 Charleston Road Registry Inc. +dad + +// dance : 2013-10-24 United TLD Holdco Ltd. +dance + +// date : 2014-11-20 dot Date Limited +date + +// dating : 2013-12-05 Pine Fest, LLC +dating + +// datsun : 2014-03-27 NISSAN MOTOR CO., LTD. +datsun + +// day : 2014-01-30 Charleston Road Registry Inc. +day + +// dclk : 2014-11-20 Charleston Road Registry Inc. +dclk + +// dealer : 2014-12-22 Dealer Dot Com, Inc. +dealer + +// deals : 2014-05-22 Sand Sunset, LLC +deals + +// degree : 2014-03-06 +degree + +// delivery : 2014-09-11 Steel Station, LLC +delivery + +// dell : 2014-10-24 Dell Inc. +dell + +// democrat : 2013-10-24 United TLD Holdco Ltd. +democrat + +// dental : 2014-03-20 Tin Birch, LLC +dental + +// dentist : 2014-03-20 +dentist + +// desi : 2013-11-14 Desi Networks LLC +desi + +// design : 2014-11-07 Top Level Design, LLC +design + +// dev : 2014-10-16 Charleston Road Registry Inc. +dev + +// diamonds : 2013-09-22 John Edge, LLC +diamonds + +// diet : 2014-06-26 Uniregistry, Corp. +diet + +// digital : 2014-03-06 Dash Park, LLC +digital + +// direct : 2014-04-10 Half Trail, LLC +direct + +// directory : 2013-09-20 Extra Madison, LLC +directory + +// discount : 2014-03-06 Holly Hill, LLC +discount + +// dnp : 2013-12-13 Dai Nippon Printing Co., Ltd. +dnp + +// docs : 2014-10-16 Charleston Road Registry Inc. +docs + +// dog : 2014-12-04 Koko Mill, LLC +dog + +// doha : 2014-09-18 Communications Regulatory Authority (CRA) +doha + +// domains : 2013-10-17 Sugar Cross, LLC +domains + +// doosan : 2014-04-03 Doosan Corporation +doosan + +// download : 2014-11-20 dot Support Limited +download + +// dubai : 2015-01-01 Dubai Smart Government Department +dubai + +// durban : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +durban + +// dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +dvag + +// earth : 2014-12-04 Interlink Co., Ltd. +earth + +// eat : 2014-01-23 Charleston Road Registry Inc. +eat + +// edeka : 2014-12-18 EDEKA Verband kaufmännischer Genossenschaften e.V. +edeka + +// education : 2013-11-07 Brice Way, LLC +education + +// email : 2013-10-31 Spring Madison, LLC +email + +// emerck : 2014-04-03 Merck KGaA +emerck + +// energy : 2014-09-11 Binky Birch, LLC +energy + +// engineer : 2014-03-06 United TLD Holdco Ltd. +engineer + +// engineering : 2014-03-06 Romeo Canyon +engineering + +// enterprises : 2013-09-20 Snow Oaks, LLC +enterprises + +// epson : 2014-12-04 Seiko Epson Corporation +epson + +// equipment : 2013-08-27 Corn Station, LLC +equipment + +// erni : 2014-04-03 ERNI Group Holding AG +erni + +// esq : 2014-05-08 Charleston Road Registry Inc. +esq + +// estate : 2013-08-27 Trixy Park, LLC +estate + +// eurovision : 2014-04-24 European Broadcasting Union (EBU) +eurovision + +// eus : 2013-12-12 Puntueus Fundazioa +eus + +// events : 2013-12-05 Pioneer Maple, LLC +events + +// everbank : 2014-05-15 EverBank +everbank + +// exchange : 2014-03-06 Spring Falls, LLC +exchange + +// expert : 2013-11-21 Magic Pass, LLC +expert + +// exposed : 2013-12-05 Victor Beach, LLC +exposed + +// fage : 2014-12-18 Fage International S.A. +fage + +// fail : 2014-03-06 Atomic Pipe, LLC +fail + +// fairwinds : 2014-11-13 FairWinds Partners, LLC +fairwinds + +// faith : 2014-11-20 dot Faith Limited +faith + +// fan : 2014-03-06 +fan + +// fans : 2014-11-07 Asiamix Digital Limited +fans + +// farm : 2013-11-07 Just Maple, LLC +farm + +// fashion : 2014-07-03 Top Level Domain Holdings Limited +fashion + +// fast : 2014-12-18 Amazon EU S.à r.l. +fast + +// feedback : 2013-12-19 Top Level Spectrum, Inc. +feedback + +// ferrero : 2014-12-18 Ferrero Trading Lux S.A. +ferrero + +// film : 2015-01-08 Motion Picture Domain Registry Pty Ltd +film + +// final : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +final + +// finance : 2014-03-20 Cotton Cypress, LLC +finance + +// financial : 2014-03-06 Just Cover, LLC +financial + +// firestone : 2014-12-18 Bridgestone Corporation +firestone + +// firmdale : 2014-03-27 Firmdale Holdings Limited +firmdale + +// fish : 2013-12-12 Fox Woods, LLC +fish + +// fishing : 2013-11-21 Top Level Domain Holdings Limited +fishing + +// fit : 2014-11-07 Top Level Domain Holdings Limited +fit + +// fitness : 2014-03-06 Brice Orchard, LLC +fitness + +// flights : 2013-12-05 Fox Station, LLC +flights + +// florist : 2013-11-07 Half Cypress, LLC +florist + +// flowers : 2014-10-09 Uniregistry, Corp. +flowers + +// flsmidth : 2014-07-24 FLSmidth A/S +flsmidth + +// fly : 2014-05-08 Charleston Road Registry Inc. +fly + +// foo : 2014-01-23 Charleston Road Registry Inc. +foo + +// football : 2014-12-18 Foggy Farms, LLC +football + +// ford : 2014-11-13 Ford Motor Company +ford + +// forex : 2014-12-11 IG Group Holdings PLC +forex + +// forsale : 2014-05-22 +forsale + +// foundation : 2013-12-05 John Dale, LLC +foundation + +// frl : 2014-05-15 FRLregistry B.V. +frl + +// frogans : 2013-12-19 OP3FT +frogans + +// fund : 2014-03-20 John Castle, LLC +fund + +// furniture : 2014-03-20 Lone Fields, LLC +furniture + +// futbol : 2013-09-20 +futbol + +// gal : 2013-11-07 Asociación puntoGAL +gal + +// gallery : 2013-09-13 Sugar House, LLC +gallery + +// garden : 2014-06-26 Top Level Domain Holdings Limited +garden + +// gbiz : 2014-07-17 Charleston Road Registry Inc. +gbiz + +// gdn : 2014-07-31 Joint Stock Company \ +gdn + +// gea : 2014-12-04 GEA Group Aktiengesellschaft +gea + +// gent : 2014-01-23 COMBELL GROUP NV/SA +gent + +// ggee : 2014-01-09 GMO Internet, Inc. +ggee + +// gift : 2013-10-17 Uniregistry, Corp. +gift + +// gifts : 2014-07-03 Goose Sky, LLC +gifts + +// gives : 2014-03-06 United TLD Holdco Ltd. +gives + +// giving : 2014-11-13 Giving Limited +giving + +// glass : 2013-11-07 Black Cover, LLC +glass + +// gle : 2014-07-24 Charleston Road Registry Inc. +gle + +// global : 2014-04-17 Dot GLOBAL AS +global + +// globo : 2013-12-19 Globo Comunicação e Participações S.A +globo + +// gmail : 2014-05-01 Charleston Road Registry Inc. +gmail + +// gmo : 2014-01-09 GMO Internet, Inc. +gmo + +// gmx : 2014-04-24 1&1 Mail & Media GmbH +gmx + +// gold : 2015-01-22 June Edge, LLC +gold + +// goldpoint : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +goldpoint + +// golf : 2014-12-18 Lone falls, LLC +golf + +// goo : 2014-12-18 NTT Resonant Inc. +goo + +// goog : 2014-11-20 Charleston Road Registry Inc. +goog + +// google : 2014-07-24 Charleston Road Registry Inc. +google + +// gop : 2014-01-16 Republican State Leadership Committee, Inc. +gop + +// got : 2014-12-18 Amazon EU S.à r.l. +got + +// graphics : 2013-09-13 Over Madison, LLC +graphics + +// gratis : 2014-03-20 Pioneer Tigers, LLC +gratis + +// green : 2014-05-08 Afilias Limited +green + +// gripe : 2014-03-06 Corn Sunset, LLC +gripe + +// group : 2014-08-15 Romeo Town, LLC +group + +// gucci : 2014-11-13 Guccio Gucci S.p.a. +gucci + +// guge : 2014-08-28 Charleston Road Registry Inc. +guge + +// guide : 2013-09-13 Snow Moon, LLC +guide + +// guitars : 2013-11-14 Uniregistry, Corp. +guitars + +// guru : 2013-08-27 Pioneer Cypress, LLC +guru + +// hamburg : 2014-02-20 Hamburg Top-Level-Domain GmbH +hamburg + +// hangout : 2014-11-13 Charleston Road Registry Inc. +hangout + +// haus : 2013-12-05 +haus + +// healthcare : 2014-06-12 Silver Glen, LLC +healthcare + +// help : 2014-06-26 Uniregistry, Corp. +help + +// here : 2014-02-06 Charleston Road Registry Inc. +here + +// hermes : 2014-07-10 HERMES INTERNATIONAL +hermes + +// hiphop : 2014-03-06 Uniregistry, Corp. +hiphop + +// hitachi : 2014-10-31 Hitachi, Ltd. +hitachi + +// hiv : 2014-03-13 dotHIV gemeinnuetziger e.V. +hiv + +// holdings : 2013-08-27 John Madison, LLC +holdings + +// holiday : 2013-11-07 Goose Woods, LLC +holiday + +// homes : 2014-01-09 DERHomes, LLC +homes + +// honda : 2014-12-18 Honda Motor Co., Ltd. +honda + +// horse : 2013-11-21 Top Level Domain Holdings Limited +horse + +// host : 2014-04-17 DotHost Inc. +host + +// hosting : 2014-05-29 Uniregistry, Corp. +hosting + +// hotmail : 2014-12-18 Microsoft Corporation +hotmail + +// house : 2013-11-07 Sugar Park, LLC +house + +// how : 2014-01-23 Charleston Road Registry Inc. +how + +// hsbc : 2014-10-24 HSBC Holdings PLC +hsbc + +// ibm : 2014-07-31 International Business Machines Corporation +ibm + +// ice : 2014-10-30 IntercontinentalExchange, Inc. +ice + +// icu : 2015-01-08 One.com A/S +icu + +// ifm : 2014-01-30 ifm electronic gmbh +ifm + +// iinet : 2014-07-03 Connect West Pty. Ltd. +iinet + +// immo : 2014-07-10 Auburn Bloom, LLC +immo + +// immobilien : 2013-11-07 United TLD Holdco Ltd. +immobilien + +// industries : 2013-12-05 Outer House, LLC +industries + +// infiniti : 2014-03-27 NISSAN MOTOR CO., LTD. +infiniti + +// ing : 2014-01-23 Charleston Road Registry Inc. +ing + +// ink : 2013-12-05 Top Level Design, LLC +ink + +// institute : 2013-11-07 Outer Maple, LLC +institute + +// insure : 2014-03-20 Pioneer Willow, LLC +insure + +// international : 2013-11-07 Wild Way, LLC +international + +// investments : 2014-03-20 Holly Glen, LLC +investments + +// ipiranga : 2014-08-28 Ipiranga Produtos de Petroleo S.A. +ipiranga + +// irish : 2014-08-07 Dot-Irish LLC +irish + +// ist : 2014-08-28 Istanbul Metropolitan Municipality +ist + +// istanbul : 2014-08-28 Istanbul Metropolitan Municipality +istanbul + +// itau : 2014-10-02 Itau Unibanco Holding S.A. +itau + +// iwc : 2014-06-23 Richemont DNS Inc. +iwc + +// jaguar : 2014-11-13 Jaguar Land Rover Ltd +jaguar + +// java : 2014-06-19 Oracle Corporation +java + +// jcb : 2014-11-20 JCB Co., Ltd. +jcb + +// jetzt : 2014-01-09 New TLD Company AB +jetzt + +// jlc : 2014-12-04 Richemont DNS Inc. +jlc + +// joburg : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +joburg + +// jot : 2014-12-18 Amazon EU S.à r.l. +jot + +// joy : 2014-12-18 Amazon EU S.à r.l. +joy + +// jprs : 2014-09-18 Japan Registry Services Co., Ltd. +jprs + +// juegos : 2014-03-20 Uniregistry, Corp. +juegos + +// kaufen : 2013-11-07 United TLD Holdco Ltd. +kaufen + +// kddi : 2014-09-12 KDDI CORPORATION +kddi + +// kfh : 2014-12-04 Kuwait Finance House +kfh + +// kim : 2013-09-23 Afilias Limited +kim + +// kinder : 2014-11-07 Ferrero Trading Lux S.A. +kinder + +// kitchen : 2013-09-20 Just Goodbye, LLC +kitchen + +// kiwi : 2013-09-20 DOT KIWI LIMITED +kiwi + +// koeln : 2014-01-09 NetCologne Gesellschaft für Telekommunikation mbH +koeln + +// komatsu : 2015-01-08 Komatsu Ltd. +komatsu + +// kpn : 2015-01-08 Koninklijke KPN N.V. +kpn + +// krd : 2013-12-05 KRG Department of Information Technology +krd + +// kred : 2013-12-19 KredTLD Pty Ltd +kred + +// kyoto : 2014-11-07 Academic Institution: Kyoto Jyoho Gakuen +kyoto + +// lacaixa : 2014-01-09 CAIXA D'ESTALVIS I PENSIONS DE BARCELONA +lacaixa + +// land : 2013-09-10 Pine Moon, LLC +land + +// landrover : 2014-11-13 Jaguar Land Rover Ltd +landrover + +// lat : 2014-10-16 ECOM-LAC Federaciòn de Latinoamèrica y el Caribe para Internet y el Comercio Electrònico +lat + +// latrobe : 2014-06-16 La Trobe University +latrobe + +// law : 2015-01-22 Minds + Machines Group Limited +law + +// lawyer : 2014-03-20 +lawyer + +// lds : 2014-03-20 IRI Domain Management, LLC (\ +lds + +// lease : 2014-03-06 Victor Trail, LLC +lease + +// leclerc : 2014-08-07 A.C.D. LEC Association des Centres Distributeurs Edouard Leclerc +leclerc + +// legal : 2014-10-16 Blue Falls, LLC +legal + +// lgbt : 2014-05-08 Afilias Limited +lgbt + +// liaison : 2014-10-02 Liaison Technologies, Incorporated +liaison + +// lidl : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +lidl + +// life : 2014-02-06 Trixy Oaks, LLC +life + +// lifeinsurance : 2015-01-15 American Council of Life Insurers +lifeinsurance + +// lifestyle : 2014-12-11 Lifestyle Domain Holdings, Inc. +lifestyle + +// lighting : 2013-08-27 John McCook, LLC +lighting + +// like : 2014-12-18 Amazon EU S.à r.l. +like + +// limited : 2014-03-06 Big Fest, LLC +limited + +// limo : 2013-10-17 Hidden Frostbite, LLC +limo + +// lincoln : 2014-11-13 Ford Motor Company +lincoln + +// linde : 2014-12-04 Linde Aktiengesellschaft +linde + +// link : 2013-11-14 Uniregistry, Corp. +link + +// live : 2014-12-04 Half Woods, LLC +live + +// loan : 2014-11-20 dot Loan Limited +loan + +// loans : 2014-03-20 June Woods, LLC +loans + +// london : 2013-11-14 Dot London Domains Limited +london + +// lotte : 2014-11-07 Lotte Holdings Co., Ltd. +lotte + +// lotto : 2014-04-10 Afilias Limited +lotto + +// love : 2014-12-22 Merchant Law Group LLP +love + +// ltd : 2014-09-25 Over Corner, LLC +ltd + +// ltda : 2014-04-17 DOMAIN ROBOT SERVICOS DE HOSPEDAGEM NA INTERNET LTDA +ltda + +// lupin : 2014-11-07 LUPIN LIMITED +lupin + +// luxe : 2014-01-09 Top Level Domain Holdings Limited +luxe + +// luxury : 2013-10-17 Luxury Partners, LLC +luxury + +// madrid : 2014-05-01 Comunidad de Madrid +madrid + +// maif : 2014-10-02 Mutuelle Assurance Instituteur France (MAIF) +maif + +// maison : 2013-12-05 Victor Frostbite, LLC +maison + +// makeup : 2015-01-15 L'Oréal +makeup + +// man : 2014-12-04 MAN SE +man + +// management : 2013-11-07 John Goodbye, LLC +management + +// mango : 2013-10-24 PUNTO FA S.L. +mango + +// market : 2014-03-06 +market + +// marketing : 2013-11-07 Fern Pass, LLC +marketing + +// markets : 2014-12-11 IG Group Holdings PLC +markets + +// marriott : 2014-10-09 Marriott Worldwide Corporation +marriott + +// media : 2014-03-06 Grand Glen, LLC +media + +// meet : 2014-01-16 Afilias Limited +meet + +// melbourne : 2014-05-29 The Crown in right of the State of Victoria, represented by its Department of State Development, Business and Innovation +melbourne + +// meme : 2014-01-30 Charleston Road Registry Inc. +meme + +// memorial : 2014-10-16 Dog Beach, LLC +memorial + +// menu : 2013-09-11 Wedding TLD2, LLC +menu + +// meo : 2014-11-07 PT Comunicacoes S.A. +meo + +// miami : 2013-12-19 Top Level Domain Holdings Limited +miami + +// microsoft : 2014-12-18 Microsoft Corporation +microsoft + +// mini : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +mini + +// mma : 2014-11-07 MMA IARD +mma + +// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L. +mobily + +// moda : 2013-11-07 United TLD Holdco Ltd. +moda + +// moe : 2013-11-13 Interlink Co., Ltd. +moe + +// moi : 2014-12-18 Amazon EU S.à r.l. +moi + +// monash : 2013-09-30 Monash University +monash + +// money : 2014-10-16 Outer McCook, LLC +money + +// montblanc : 2014-06-23 Richemont DNS Inc. +montblanc + +// mormon : 2013-12-05 IRI Domain Management, LLC (\ +mormon + +// mortgage : 2014-03-20 +mortgage + +// moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +moscow + +// motorcycles : 2014-01-09 DERMotorcycles, LLC +motorcycles + +// mov : 2014-01-30 Charleston Road Registry Inc. +mov + +// movistar : 2014-10-16 Telefónica S.A. +movistar + +// mtn : 2014-12-04 MTN Dubai Limited +mtn + +// mtpc : 2014-11-20 Mitsubishi Tanabe Pharma Corporation +mtpc + +// nadex : 2014-12-11 IG Group Holdings PLC +nadex + +// nagoya : 2013-10-24 GMO Registry, Inc. +nagoya + +// navy : 2014-03-06 United TLD Holdco Ltd. +navy + +// nec : 2015-01-08 NEC Corporation +nec + +// netbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +netbank + +// network : 2013-11-14 Trixy Manor, LLC +network + +// neustar : 2013-12-05 NeuStar, Inc. +neustar + +// new : 2014-01-30 Charleston Road Registry Inc. +new + +// news : 2014-12-18 Hidden Bloom, LLC +news + +// nexus : 2014-07-24 Charleston Road Registry Inc. +nexus + +// ngo : 2014-03-06 Public Interest Registry +ngo + +// nhk : 2014-02-13 Japan Broadcasting Corporation (NHK) +nhk + +// nico : 2014-12-04 DWANGO Co., Ltd. +nico + +// ninja : 2013-11-07 United TLD Holdco Ltd. +ninja + +// nissan : 2014-03-27 NISSAN MOTOR CO., LTD. +nissan + +// nokia : 2015-01-08 Nokia Corporation +nokia + +// norton : 2014-12-04 Symantec Corporation +norton + +// nowruz : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +nowruz + +// nra : 2014-05-22 NRA Holdings Company, INC. +nra + +// nrw : 2013-11-21 Minds + Machines GmbH +nrw + +// ntt : 2014-10-31 NIPPON TELEGRAPH AND TELEPHONE CORPORATION +ntt + +// nyc : 2014-01-23 The City of New York by and through the New York City Department of Information Technology & Telecommunications +nyc + +// obi : 2014-09-25 OBI Group Holding SE & Co. KGaA +obi + +// okinawa : 2013-12-05 BusinessRalliart Inc. +okinawa + +// omega : 2015-01-08 The Swatch Group Ltd +omega + +// one : 2014-11-07 One.com A/S +one + +// ong : 2014-03-06 Public Interest Registry +ong + +// onl : 2013-09-16 I-Registry Ltd. +onl + +// online : 2015-01-15 DotOnline Inc. +online + +// ooo : 2014-01-09 INFIBEAM INCORPORATION LIMITED +ooo + +// oracle : 2014-06-19 Oracle Corporation +oracle + +// organic : 2014-03-27 Afilias Limited +organic + +// osaka : 2014-09-04 Interlink Co., Ltd. +osaka + +// otsuka : 2013-10-11 Otsuka Holdings Co., Ltd. +otsuka + +// ovh : 2014-01-16 OVH SAS +ovh + +// page : 2014-12-04 Charleston Road Registry Inc. +page + +// panerai : 2014-11-07 Richemont DNS Inc. +panerai + +// paris : 2014-01-30 City of Paris +paris + +// pars : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +pars + +// partners : 2013-12-05 Magic Glen, LLC +partners + +// parts : 2013-12-05 Sea Goodbye, LLC +parts + +// party : 2014-09-11 Blue Sky Registry Limited +party + +// pharmacy : 2014-06-19 National Association of Boards of Pharmacy +pharmacy + +// philips : 2014-11-07 Koninklijke Philips N.V. +philips + +// photo : 2013-11-14 Uniregistry, Corp. +photo + +// photography : 2013-09-20 Sugar Glen, LLC +photography + +// photos : 2013-10-17 Sea Corner, LLC +photos + +// physio : 2014-05-01 PhysBiz Pty Ltd +physio + +// piaget : 2014-10-16 Richemont DNS Inc. +piaget + +// pics : 2013-11-14 Uniregistry, Corp. +pics + +// pictet : 2014-06-26 Pictet Europe S.A. +pictet + +// pictures : 2014-03-06 Foggy Sky, LLC +pictures + +// pid : 2015-01-08 Top Level Spectrum, Inc. +pid + +// pin : 2014-12-18 Amazon EU S.à r.l. +pin + +// pink : 2013-10-01 Afilias Limited +pink + +// pizza : 2014-06-26 Foggy Moon, LLC +pizza + +// place : 2014-04-24 Snow Galley, LLC +place + +// plumbing : 2013-09-10 Spring Tigers, LLC +plumbing + +// pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +pohl + +// poker : 2014-07-03 Afilias Domains No. 5 Limited +poker + +// porn : 2014-10-16 ICM Registry PN LLC +porn + +// praxi : 2013-12-05 Praxi S.p.A. +praxi + +// press : 2014-04-03 DotPress Inc. +press + +// prod : 2014-01-23 Charleston Road Registry Inc. +prod + +// productions : 2013-12-05 Magic Birch, LLC +productions + +// prof : 2014-07-24 Charleston Road Registry Inc. +prof + +// promo : 2014-12-18 Play.PROMO Oy +promo + +// properties : 2013-12-05 Big Pass, LLC +properties + +// property : 2014-05-22 Uniregistry, Corp. +property + +// pub : 2013-12-12 United TLD Holdco Ltd. +pub + +// qpon : 2013-11-14 dotCOOL, Inc. +qpon + +// quebec : 2013-12-19 PointQuébec Inc +quebec + +// racing : 2014-12-04 Premier Registry Limited +racing + +// read : 2014-12-18 Amazon EU S.à r.l. +read + +// realtor : 2014-05-29 Real Estate Domains LLC +realtor + +// recipes : 2013-10-17 Grand Island, LLC +recipes + +// red : 2013-11-07 Afilias Limited +red + +// redstone : 2014-10-31 Redstone Haute Couture Co., Ltd. +redstone + +// rehab : 2014-03-06 United TLD Holdco Ltd. +rehab + +// reise : 2014-03-13 dotreise GmbH +reise + +// reisen : 2014-03-06 New Cypress, LLC +reisen + +// reit : 2014-09-04 National Association of Real Estate Investment Trusts, Inc. +reit + +// ren : 2013-12-12 Beijing Qianxiang Wangjing Technology Development Co., Ltd. +ren + +// rent : 2014-12-04 DERRent, LLC +rent + +// rentals : 2013-12-05 Big Hollow,LLC +rentals + +// repair : 2013-11-07 Lone Sunset, LLC +repair + +// report : 2013-12-05 Binky Glen, LLC +report + +// republican : 2014-03-20 United TLD Holdco Ltd. +republican + +// rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +rest + +// restaurant : 2014-07-03 Snow Avenue, LLC +restaurant + +// review : 2014-11-20 dot Review Limited +review + +// reviews : 2013-09-13 +reviews + +// rich : 2013-11-21 I-Registry Ltd. +rich + +// ricoh : 2014-11-20 Ricoh Company, Ltd. +ricoh + +// rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO +rio + +// rip : 2014-07-10 United TLD Holdco Ltd. +rip + +// rocher : 2014-12-18 Ferrero Trading Lux S.A. +rocher + +// rocks : 2013-11-14 +rocks + +// rodeo : 2013-12-19 Top Level Domain Holdings Limited +rodeo + +// room : 2014-12-18 Amazon EU S.à r.l. +room + +// rsvp : 2014-05-08 Charleston Road Registry Inc. +rsvp + +// ruhr : 2013-10-02 regiodot GmbH & Co. KG +ruhr + +// ryukyu : 2014-01-09 BusinessRalliart Inc. +ryukyu + +// saarland : 2013-12-12 dotSaarland GmbH +saarland + +// safe : 2014-12-18 Amazon EU S.à r.l. +safe + +// safety : 2015-01-08 Safety Registry Services, LLC. +safety + +// sakura : 2014-12-18 SAKURA Internet Inc. +sakura + +// sale : 2014-10-16 +sale + +// salon : 2014-12-11 Outer Orchard, LLC +salon + +// samsung : 2014-04-03 SAMSUNG SDS CO., LTD +samsung + +// sandvik : 2014-11-13 Sandvik AB +sandvik + +// sandvikcoromant : 2014-11-07 Sandvik AB +sandvikcoromant + +// sanofi : 2014-10-09 Sanofi +sanofi + +// sap : 2014-03-27 SAP AG +sap + +// sapo : 2014-11-07 PT Comunicacoes S.A. +sapo + +// sarl : 2014-07-03 Delta Orchard, LLC +sarl + +// saxo : 2014-10-31 Saxo Bank A/S +saxo + +// sbs : 2014-11-07 SPECIAL BROADCASTING SERVICE CORPORATION +sbs + +// sca : 2014-03-13 SVENSKA CELLULOSA AKTIEBOLAGET SCA (publ) +sca + +// scb : 2014-02-20 The Siam Commercial Bank Public Company Limited (\ +scb + +// schmidt : 2014-04-03 SALM S.A.S. +schmidt + +// scholarships : 2014-04-24 Scholarships.com, LLC +scholarships + +// school : 2014-12-18 Little Galley, LLC +school + +// schule : 2014-03-06 Outer Moon, LLC +schule + +// schwarz : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +schwarz + +// science : 2014-09-11 dot Science Limited +science + +// scor : 2014-10-31 SCOR SE +scor + +// scot : 2014-01-23 Dot Scot Registry Limited +scot + +// seat : 2014-05-22 SEAT, S.A. (Sociedad Unipersonal) +seat + +// seek : 2014-12-04 Seek Limited +seek + +// sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A. +sener + +// services : 2014-02-27 Fox Castle, LLC +services + +// sew : 2014-07-17 SEW-EURODRIVE GmbH & Co KG +sew + +// sex : 2014-11-13 ICM Registry SX LLC +sex + +// sexy : 2013-09-11 Uniregistry, Corp. +sexy + +// sharp : 2014-05-01 Sharp Corporation +sharp + +// shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +shia + +// shiksha : 2013-11-14 Afilias Limited +shiksha + +// shoes : 2013-10-02 Binky Galley, LLC +shoes + +// shouji : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +shouji + +// shriram : 2014-01-23 Shriram Capital Ltd. +shriram + +// singles : 2013-08-27 Fern Madison, LLC +singles + +// site : 2015-01-15 DotSite Inc. +site + +// skin : 2015-01-15 L'Oréal +skin + +// sky : 2014-06-19 Sky IP International Ltd, a company incorporated in England and Wales, operating via its registered Swiss branch +sky + +// skype : 2014-12-18 Microsoft Corporation +skype + +// smile : 2014-12-18 Amazon EU S.à r.l. +smile + +// social : 2013-11-07 United TLD Holdco Ltd. +social + +// software : 2014-03-20 +software + +// sohu : 2013-12-19 Sohu.com Limited +sohu + +// solar : 2013-11-07 Ruby Town, LLC +solar + +// solutions : 2013-11-07 Silver Cover, LLC +solutions + +// sony : 2015-01-08 Sony Corporation +sony + +// soy : 2014-01-23 Charleston Road Registry Inc. +soy + +// space : 2014-04-03 DotSpace Inc. +space + +// spiegel : 2014-02-05 SPIEGEL-Verlag Rudolf Augstein GmbH & Co. KG +spiegel + +// spreadbetting : 2014-12-11 IG Group Holdings PLC +spreadbetting + +// stada : 2014-11-13 STADA Arzneimittel AG +stada + +// star : 2015-01-08 Star India Private Limited +star + +// statoil : 2014-12-04 Statoil ASA +statoil + +// stc : 2014-10-09 Saudi Telecom Company +stc + +// stcgroup : 2014-10-09 Saudi Telecom Company +stcgroup + +// stockholm : 2014-12-18 Stockholms kommun +stockholm + +// storage : 2014-12-22 Self Storage Company LLC +storage + +// study : 2014-12-11 OPEN UNIVERSITIES AUSTRALIA PTY LTD +study + +// style : 2014-12-04 Binky Moon, LLC +style + +// sucks : 2014-12-22 Vox Populi Registry Inc. +sucks + +// supplies : 2013-12-19 Atomic Fields, LLC +supplies + +// supply : 2013-12-19 Half Falls, LLC +supply + +// support : 2013-10-24 Grand Orchard, LLC +support + +// surf : 2014-01-09 Top Level Domain Holdings Limited +surf + +// surgery : 2014-03-20 Tin Avenue, LLC +surgery + +// suzuki : 2014-02-20 SUZUKI MOTOR CORPORATION +suzuki + +// swatch : 2015-01-08 The Swatch Group Ltd +swatch + +// swiss : 2014-10-16 Swiss Confederation +swiss + +// sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet +sydney + +// symantec : 2014-12-04 Symantec Corporation +symantec + +// systems : 2013-11-07 Dash Cypress, LLC +systems + +// tab : 2014-12-04 Tabcorp Holdings Limited +tab + +// taipei : 2014-07-10 Taipei City Government +taipei + +// taobao : 2015-01-15 Alibaba Group Holding Limited +taobao + +// tatar : 2014-04-24 Limited Liability Company \ +tatar + +// tattoo : 2013-08-30 Uniregistry, Corp. +tattoo + +// tax : 2014-03-20 Storm Orchard, LLC +tax + +// tci : 2014-09-12 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +tci + +// technology : 2013-09-13 Auburn Falls +technology + +// telefonica : 2014-10-16 Telefónica S.A. +telefonica + +// temasek : 2014-08-07 Temasek Holdings (Private) Limited +temasek + +// tennis : 2014-12-04 Cotton Bloom, LLC +tennis + +// tienda : 2013-11-14 Victor Manor, LLC +tienda + +// tips : 2013-09-20 Corn Willow, LLC +tips + +// tires : 2014-11-07 Dog Edge, LLC +tires + +// tirol : 2014-04-24 punkt Tirol GmbH +tirol + +// tmall : 2015-01-15 Alibaba Group Holding Limited +tmall + +// today : 2013-09-20 Pearl Woods, LLC +today + +// tokyo : 2013-11-13 GMO Registry, Inc. +tokyo + +// tools : 2013-11-21 Pioneer North, LLC +tools + +// top : 2014-03-20 Jiangsu Bangning Science & Technology Co.,Ltd. +top + +// toray : 2014-12-18 Toray Industries, Inc. +toray + +// toshiba : 2014-04-10 TOSHIBA Corporation +toshiba + +// tours : 2015-01-22 Sugar Station, LLC +tours + +// town : 2014-03-06 Koko Moon, LLC +town + +// toys : 2014-03-06 Pioneer Orchard, LLC +toys + +// trade : 2014-01-23 Elite Registry Limited +trade + +// trading : 2014-12-11 IG Group Holdings PLC +trading + +// training : 2013-11-07 Wild Willow, LLC +training + +// trust : 2014-10-16 +trust + +// tui : 2014-07-03 TUI AG +tui + +// tushu : 2014-12-18 Amazon EU S.à r.l. +tushu + +// ubs : 2014-12-11 UBS AG +ubs + +// university : 2014-03-06 Little Station, LLC +university + +// uno : 2013-09-11 Dot Latin LLC +uno + +// uol : 2014-05-01 UBN INTERNET LTDA. +uol + +// vacations : 2013-12-05 Atomic Tigers, LLC +vacations + +// vana : 2014-12-11 Lifestyle Domain Holdings, Inc. +vana + +// vegas : 2014-01-16 Dot Vegas, Inc. +vegas + +// ventures : 2013-08-27 Binky Lake, LLC +ventures + +// versicherung : 2014-03-20 dotversicherung-registry GmbH +versicherung + +// vet : 2014-03-06 +vet + +// viajes : 2013-10-17 Black Madison, LLC +viajes + +// video : 2014-10-16 +video + +// villas : 2013-12-05 New Sky, LLC +villas + +// vip : 2015-01-22 Minds + Machines Group Limited +vip + +// virgin : 2014-09-25 Virgin Enterprises Limited +virgin + +// vision : 2013-12-05 Koko Station, LLC +vision + +// vista : 2014-09-18 Vistaprint Limited +vista + +// vistaprint : 2014-09-18 Vistaprint Limited +vistaprint + +// viva : 2014-11-07 Saudi Telecom Company +viva + +// vlaanderen : 2014-02-06 DNS.be vzw +vlaanderen + +// vodka : 2013-12-19 Top Level Domain Holdings Limited +vodka + +// vote : 2013-11-21 Monolith Registry LLC +vote + +// voting : 2013-11-13 Valuetainment Corp. +voting + +// voto : 2013-11-21 Monolith Registry LLC +voto + +// voyage : 2013-08-27 Ruby House, LLC +voyage + +// wales : 2014-05-08 Nominet UK +wales + +// walter : 2014-11-13 Sandvik AB +walter + +// wang : 2013-10-24 Zodiac Leo Limited +wang + +// wanggou : 2014-12-18 Amazon EU S.à r.l. +wanggou + +// watch : 2013-11-14 Sand Shadow, LLC +watch + +// watches : 2014-12-22 Richemont DNS Inc. +watches + +// weather : 2015-01-08 The Weather Channel, LLC +weather + +// webcam : 2014-01-23 dot Webcam Limited +webcam + +// website : 2014-04-03 DotWebsite Inc. +website + +// wed : 2013-10-01 Atgron, Inc. +wed + +// wedding : 2014-04-24 Top Level Domain Holdings Limited +wedding + +// whoswho : 2014-02-20 Who's Who Registry +whoswho + +// wien : 2013-10-28 punkt.wien GmbH +wien + +// wiki : 2013-11-07 Top Level Design, LLC +wiki + +// williamhill : 2014-03-13 William Hill Organization Limited +williamhill + +// win : 2014-11-20 First Registry Limited +win + +// windows : 2014-12-18 Microsoft Corporation +windows + +// wme : 2014-02-13 William Morris Endeavor Entertainment, LLC +wme + +// work : 2013-12-19 Top Level Domain Holdings Limited +work + +// works : 2013-11-14 Little Dynamite, LLC +works + +// world : 2014-06-12 Bitter Fields, LLC +world + +// wtc : 2013-12-19 World Trade Centers Association, Inc. +wtc + +// wtf : 2014-03-06 Hidden Way, LLC +wtf + +// xbox : 2014-12-18 Microsoft Corporation +xbox + +// xerox : 2014-10-24 Xerox DNHC LLC +xerox + +// xihuan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +xihuan + +// xin : 2014-12-11 Elegant Leader Limited +xin + +// xn--11b4c3d : 2015-01-15 VeriSign Sarl +कॉम + +// xn--1qqw23a : 2014-01-09 Guangzhou YU Wei Information Technology Co., Ltd. +佛山 + +// xn--30rr7y : 2014-06-12 Excellent First Limited +慈善 + +// xn--3bst00m : 2013-09-13 Eagle Horizon Limited +集团 + +// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED +在线 + +// xn--3pxu8k : 2015-01-15 VeriSign Sarl +点看 + +// xn--42c2d9a : 2015-01-15 VeriSign Sarl +คอม + +// xn--45q11c : 2013-11-21 Zodiac Scorpio Limited +八卦 + +// xn--4gbrim : 2013-10-04 Suhub Electronic Establishment +موقع + +// xn--55qw42g : 2013-11-08 China Organizational Name Administration Center +公益 + +// xn--55qx5d : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +公司 + +// xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited +网站 + +// xn--6frz82g : 2013-09-23 Afilias Limited +移动 + +// xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited +我爱你 + +// xn--80adxhks : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +москва + +// xn--80asehdb : 2013-07-14 CORE Association +онлайн + +// xn--80aswg : 2013-07-14 CORE Association +сайт + +// xn--9dbq2a : 2015-01-15 VeriSign Sarl +קום + +// xn--9et52u : 2014-06-12 RISE VICTORY LIMITED +时尚 + +// xn--b4w605ferd : 2014-08-07 Temasek Holdings (Private) Limited +淡马锡 + +// xn--c1avg : 2013-11-14 Public Interest Registry +орг + +// xn--c2br7g : 2015-01-15 VeriSign Sarl +नेट + +// xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD +삼성 + +// xn--czr694b : 2014-01-16 HU YI GLOBAL INFORMATION RESOURCES(HOLDING) COMPANY.HONGKONG LIMITED +商标 + +// xn--czrs0t : 2013-12-19 Wild Island, LLC +商店 + +// xn--czru2d : 2013-11-21 Zodiac Capricorn Limited +商城 + +// xn--d1acj3b : 2013-11-20 The Foundation for Network Initiatives “The Smart Internet” +дети + +// xn--eckvdtc9d : 2014-12-18 Amazon EU S.à r.l. +ポイント + +// xn--efvy88h : 2014-08-22 Xinhua News Agency Guangdong Branch 新华通讯社广东分社 +新闻 + +// xn--fhbei : 2015-01-15 VeriSign Sarl +كوم + +// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED +中文网 + +// xn--fiq64b : 2013-10-14 CITIC Group Corporation +中信 + +// xn--fjq720a : 2014-05-22 Will Bloom, LLC +娱乐 + +// xn--flw351e : 2014-07-31 Charleston Road Registry Inc. +谷歌 + +// xn--hxt814e : 2014-05-15 Zodiac Libra Limited +网店 + +// xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry +संगठन + +// xn--imr513n : 2014-12-11 HU YI GLOBAL INFORMATION RESOURCES (HOLDING) COMPANY. HONGKONG LIMITED +餐厅 + +// xn--io0a7i : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +网络 + +// xn--j1aef : 2015-01-15 VeriSign Sarl +ком + +// xn--jlq61u9w7b : 2015-01-08 Nokia Corporation +诺基亚 + +// xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V. +飞利浦 + +// xn--kpu716f : 2014-12-22 Richemont DNS Inc. +手表 + +// xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd +手机 + +// xn--mgba3a3ejt : 2014-11-20 Aramco Services Company +ارامكو + +// xn--mgbab2bd : 2013-10-31 CORE Association +بازار + +// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L. +موبايلي + +// xn--mgbt3dhd : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +همراه + +// xn--mk1bu44c : 2015-01-15 VeriSign Sarl +닷컴 + +// xn--mxtq1m : 2014-03-06 Net-Chinese Co., Ltd. +政府 + +// xn--ngbc5azd : 2013-07-13 International Domain Registry Pty. Ltd. +شبكة + +// xn--ngbe9e0a : 2014-12-04 Kuwait Finance House +بيتك + +// xn--nqv7f : 2013-11-14 Public Interest Registry +机构 + +// xn--nqv7fs00ema : 2013-11-14 Public Interest Registry +组织机构 + +// xn--nyqy26a : 2014-11-07 Stable Tone Limited +健康 + +// xn--p1acf : 2013-12-12 Rusnames Limited +рус + +// xn--pbt977c : 2014-12-22 Richemont DNS Inc. +珠宝 + +// xn--pssy2u : 2015-01-15 VeriSign Sarl +大拿 + +// xn--q9jyb4c : 2013-09-17 Charleston Road Registry Inc. +みんな + +// xn--qcka1pmc : 2014-07-31 Charleston Road Registry Inc. +グーグル + +// xn--rhqv96g : 2013-09-11 Stable Tone Limited +世界 + +// xn--ses554g : 2014-01-16 +网址 + +// xn--t60b56a : 2015-01-15 VeriSign Sarl +닷넷 + +// xn--tckwe : 2015-01-15 VeriSign Sarl +コム + +// xn--unup4y : 2013-07-14 Spring Fields, LLC +游戏 + +// xn--vermgensberater-ctb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberater + +// xn--vermgensberatung-pwb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberatung + +// xn--vhquv : 2013-08-27 Dash McCook, LLC +企业 + +// xn--vuq861b : 2014-10-16 Beijing Tele-info Network Technology Co., Ltd. +信息 + +// xn--xhq521b : 2013-11-14 Guangzhou YU Wei Information Technology Co., Ltd. +广东 + +// xn--zfr164b : 2013-11-08 China Organizational Name Administration Center +政务 + +// xyz : 2013-12-05 XYZ.COM LLC +xyz + +// yachts : 2014-01-09 DERYachts, LLC +yachts + +// yamaxun : 2014-12-18 Amazon EU S.à r.l. +yamaxun + +// yandex : 2014-04-10 YANDEX, LLC +yandex + +// yodobashi : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +yodobashi + +// yoga : 2014-05-29 Top Level Domain Holdings Limited +yoga + +// yokohama : 2013-12-12 GMO Registry, Inc. +yokohama + +// youtube : 2014-05-01 Charleston Road Registry Inc. +youtube + +// yun : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +yun + +// zara : 2014-11-07 Industria de Diseño Textil, S.A. (INDITEX, S.A.) +zara + +// zero : 2014-12-18 Amazon EU S.à r.l. +zero + +// zip : 2014-05-08 Charleston Road Registry Inc. +zip + +// zone : 2013-11-14 Outer Falls, LLC +zone + +// zuerich : 2014-11-07 Kanton Zürich (Canton of Zurich) +zuerich + + +// ===END ICANN DOMAINS=== +// ===BEGIN PRIVATE DOMAINS=== + +// Amazon CloudFront : https://aws.amazon.com/cloudfront/ +// Submitted by Donavan Miller 2013-03-22 +cloudfront.net + +// Amazon Elastic Compute Cloud: https://aws.amazon.com/ec2/ +// Submitted by Osman Surkatty 2014-12-16 +ap-northeast-1.compute.amazonaws.com +ap-southeast-1.compute.amazonaws.com +ap-southeast-2.compute.amazonaws.com +cn-north-1.compute.amazonaws.cn +compute.amazonaws.cn +compute.amazonaws.com +compute-1.amazonaws.com +eu-west-1.compute.amazonaws.com +eu-central-1.compute.amazonaws.com +sa-east-1.compute.amazonaws.com +us-east-1.amazonaws.com +us-gov-west-1.compute.amazonaws.com +us-west-1.compute.amazonaws.com +us-west-2.compute.amazonaws.com +z-1.compute-1.amazonaws.com +z-2.compute-1.amazonaws.com + +// Amazon Elastic Beanstalk : https://aws.amazon.com/elasticbeanstalk/ +// Submitted by Adam Stein 2013-04-02 +elasticbeanstalk.com + +// Amazon Elastic Load Balancing : https://aws.amazon.com/elasticloadbalancing/ +// Submitted by Scott Vidmar 2013-03-27 +elb.amazonaws.com + +// Amazon S3 : https://aws.amazon.com/s3/ +// Submitted by Courtney Eckhardt 2013-03-22 +s3.amazonaws.com +s3-us-west-2.amazonaws.com +s3-us-west-1.amazonaws.com +s3-eu-west-1.amazonaws.com +s3-ap-southeast-1.amazonaws.com +s3-ap-southeast-2.amazonaws.com +s3-ap-northeast-1.amazonaws.com +s3-sa-east-1.amazonaws.com +s3-us-gov-west-1.amazonaws.com +s3-fips-us-gov-west-1.amazonaws.com +s3-website-us-east-1.amazonaws.com +s3-website-us-west-2.amazonaws.com +s3-website-us-west-1.amazonaws.com +s3-website-eu-west-1.amazonaws.com +s3-website-ap-southeast-1.amazonaws.com +s3-website-ap-southeast-2.amazonaws.com +s3-website-ap-northeast-1.amazonaws.com +s3-website-sa-east-1.amazonaws.com +s3-website-us-gov-west-1.amazonaws.com + +// BetaInABox +// Submitted by adrian@betainabox.com 2012-09-13 +betainabox.com + +// CentralNic : http://www.centralnic.com/names/domains +// Submitted by registry 2012-09-27 +ae.org +ar.com +br.com +cn.com +com.de +com.se +de.com +eu.com +gb.com +gb.net +hu.com +hu.net +jp.net +jpn.com +kr.com +mex.com +no.com +qc.com +ru.com +sa.com +se.com +se.net +uk.com +uk.net +us.com +uy.com +za.bz +za.com + +// Africa.com Web Solutions Ltd : https://registry.africa.com +// Submitted by Gavin Brown 2014-02-04 +africa.com + +// iDOT Services Limited : http://www.domain.gr.com +// Submitted by Gavin Brown 2014-02-04 +gr.com + +// Radix FZC : http://domains.in.net +// Submitted by Gavin Brown 2014-02-04 +in.net + +// US REGISTRY LLC : http://us.org +// Submitted by Gavin Brown 2014-02-04 +us.org + +// co.com Registry, LLC : https://registry.co.com +// Submitted by Gavin Brown 2014-02-04 +co.com + +// c.la : http://www.c.la/ +c.la + +// cloudControl : https://www.cloudcontrol.com/ +// Submitted by Tobias Wilken 2013-07-23 +cloudcontrolled.com +cloudcontrolapp.com + +// co.ca : http://registry.co.ca/ +co.ca + +// CoDNS B.V. +co.nl +co.no + +// Commerce Guys, SAS +// Submitted by Damien Tournoud 2015-01-22 +*.platform.sh + +// Cupcake : https://cupcake.io/ +// Submitted by Jonathan Rudenberg 2013-10-08 +cupcake.is + +// DreamHost : http://www.dreamhost.com/ +// Submitted by Andrew Farmer 2012-10-02 +dreamhosters.com + +// DynDNS.com : http://www.dyndns.com/services/dns/dyndns/ +dyndns-at-home.com +dyndns-at-work.com +dyndns-blog.com +dyndns-free.com +dyndns-home.com +dyndns-ip.com +dyndns-mail.com +dyndns-office.com +dyndns-pics.com +dyndns-remote.com +dyndns-server.com +dyndns-web.com +dyndns-wiki.com +dyndns-work.com +dyndns.biz +dyndns.info +dyndns.org +dyndns.tv +at-band-camp.net +ath.cx +barrel-of-knowledge.info +barrell-of-knowledge.info +better-than.tv +blogdns.com +blogdns.net +blogdns.org +blogsite.org +boldlygoingnowhere.org +broke-it.net +buyshouses.net +cechire.com +dnsalias.com +dnsalias.net +dnsalias.org +dnsdojo.com +dnsdojo.net +dnsdojo.org +does-it.net +doesntexist.com +doesntexist.org +dontexist.com +dontexist.net +dontexist.org +doomdns.com +doomdns.org +dvrdns.org +dyn-o-saur.com +dynalias.com +dynalias.net +dynalias.org +dynathome.net +dyndns.ws +endofinternet.net +endofinternet.org +endoftheinternet.org +est-a-la-maison.com +est-a-la-masion.com +est-le-patron.com +est-mon-blogueur.com +for-better.biz +for-more.biz +for-our.info +for-some.biz +for-the.biz +forgot.her.name +forgot.his.name +from-ak.com +from-al.com +from-ar.com +from-az.net +from-ca.com +from-co.net +from-ct.com +from-dc.com +from-de.com +from-fl.com +from-ga.com +from-hi.com +from-ia.com +from-id.com +from-il.com +from-in.com +from-ks.com +from-ky.com +from-la.net +from-ma.com +from-md.com +from-me.org +from-mi.com +from-mn.com +from-mo.com +from-ms.com +from-mt.com +from-nc.com +from-nd.com +from-ne.com +from-nh.com +from-nj.com +from-nm.com +from-nv.com +from-ny.net +from-oh.com +from-ok.com +from-or.com +from-pa.com +from-pr.com +from-ri.com +from-sc.com +from-sd.com +from-tn.com +from-tx.com +from-ut.com +from-va.com +from-vt.com +from-wa.com +from-wi.com +from-wv.com +from-wy.com +ftpaccess.cc +fuettertdasnetz.de +game-host.org +game-server.cc +getmyip.com +gets-it.net +go.dyndns.org +gotdns.com +gotdns.org +groks-the.info +groks-this.info +ham-radio-op.net +here-for-more.info +hobby-site.com +hobby-site.org +home.dyndns.org +homedns.org +homeftp.net +homeftp.org +homeip.net +homelinux.com +homelinux.net +homelinux.org +homeunix.com +homeunix.net +homeunix.org +iamallama.com +in-the-band.net +is-a-anarchist.com +is-a-blogger.com +is-a-bookkeeper.com +is-a-bruinsfan.org +is-a-bulls-fan.com +is-a-candidate.org +is-a-caterer.com +is-a-celticsfan.org +is-a-chef.com +is-a-chef.net +is-a-chef.org +is-a-conservative.com +is-a-cpa.com +is-a-cubicle-slave.com +is-a-democrat.com +is-a-designer.com +is-a-doctor.com +is-a-financialadvisor.com +is-a-geek.com +is-a-geek.net +is-a-geek.org +is-a-green.com +is-a-guru.com +is-a-hard-worker.com +is-a-hunter.com +is-a-knight.org +is-a-landscaper.com +is-a-lawyer.com +is-a-liberal.com +is-a-libertarian.com +is-a-linux-user.org +is-a-llama.com +is-a-musician.com +is-a-nascarfan.com +is-a-nurse.com +is-a-painter.com +is-a-patsfan.org +is-a-personaltrainer.com +is-a-photographer.com +is-a-player.com +is-a-republican.com +is-a-rockstar.com +is-a-socialist.com +is-a-soxfan.org +is-a-student.com +is-a-teacher.com +is-a-techie.com +is-a-therapist.com +is-an-accountant.com +is-an-actor.com +is-an-actress.com +is-an-anarchist.com +is-an-artist.com +is-an-engineer.com +is-an-entertainer.com +is-by.us +is-certified.com +is-found.org +is-gone.com +is-into-anime.com +is-into-cars.com +is-into-cartoons.com +is-into-games.com +is-leet.com +is-lost.org +is-not-certified.com +is-saved.org +is-slick.com +is-uberleet.com +is-very-bad.org +is-very-evil.org +is-very-good.org +is-very-nice.org +is-very-sweet.org +is-with-theband.com +isa-geek.com +isa-geek.net +isa-geek.org +isa-hockeynut.com +issmarterthanyou.com +isteingeek.de +istmein.de +kicks-ass.net +kicks-ass.org +knowsitall.info +land-4-sale.us +lebtimnetz.de +leitungsen.de +likes-pie.com +likescandy.com +merseine.nu +mine.nu +misconfused.org +mypets.ws +myphotos.cc +neat-url.com +office-on-the.net +on-the-web.tv +podzone.net +podzone.org +readmyblog.org +saves-the-whales.com +scrapper-site.net +scrapping.cc +selfip.biz +selfip.com +selfip.info +selfip.net +selfip.org +sells-for-less.com +sells-for-u.com +sells-it.net +sellsyourhome.org +servebbs.com +servebbs.net +servebbs.org +serveftp.net +serveftp.org +servegame.org +shacknet.nu +simple-url.com +space-to-rent.com +stuff-4-sale.org +stuff-4-sale.us +teaches-yoga.com +thruhere.net +traeumtgerade.de +webhop.biz +webhop.info +webhop.net +webhop.org +worse-than.tv +writesthisblog.com + +// Fastly Inc. http://www.fastly.com/ +// Submitted by Vladimir Vuksan 2013-05-31 +a.ssl.fastly.net +b.ssl.fastly.net +global.ssl.fastly.net +a.prod.fastly.net +global.prod.fastly.net + +// Firebase, Inc. +// Submitted by Chris Raynor 2014-01-21 +firebaseapp.com + +// Flynn : https://flynn.io +// Submitted by Jonathan Rudenberg 2014-07-12 +flynnhub.com + +// GitHub, Inc. +// Submitted by Ben Toews 2014-02-06 +github.io +githubusercontent.com + +// GlobeHosting, Inc. +// Submitted by Zoltan Egresi 2013-07-12 +ro.com + +// Google, Inc. +// Submitted by Eduardo Vela 2014-12-19 +appspot.com +blogspot.ae +blogspot.be +blogspot.bj +blogspot.ca +blogspot.cf +blogspot.ch +blogspot.co.at +blogspot.co.il +blogspot.co.nz +blogspot.co.uk +blogspot.com +blogspot.com.ar +blogspot.com.au +blogspot.com.br +blogspot.com.es +blogspot.com.tr +blogspot.cv +blogspot.cz +blogspot.de +blogspot.dk +blogspot.fi +blogspot.fr +blogspot.gr +blogspot.hk +blogspot.hu +blogspot.ie +blogspot.in +blogspot.it +blogspot.jp +blogspot.kr +blogspot.mr +blogspot.mx +blogspot.nl +blogspot.no +blogspot.pt +blogspot.re +blogspot.ro +blogspot.ru +blogspot.se +blogspot.sg +blogspot.sk +blogspot.td +blogspot.tw +codespot.com +googleapis.com +googlecode.com +pagespeedmobilizer.com +withgoogle.com + +// Heroku : https://www.heroku.com/ +// Submitted by Tom Maher 2013-05-02 +herokuapp.com +herokussl.com + +// iki.fi +// Submitted by Hannu Aronsson 2009-11-05 +iki.fi + +// info.at : http://www.info.at/ +biz.at +info.at + +// Michau Enterprises Limited : http://www.co.pl/ +co.pl + +// Microsoft : http://microsoft.com +// Submitted by Barry Dorrans 2014-01-24 +azurewebsites.net +azure-mobile.net +cloudapp.net + +// NFSN, Inc. : https://www.NearlyFreeSpeech.NET/ +// Submitted by Jeff Wheelhouse 2014-02-02 +nfshost.com + +// NYC.mn : http://www.information.nyc.mn +// Submitted by Matthew Brown 2013-03-11 +nyc.mn + +// One Fold Media : http://www.onefoldmedia.com/ +// Submitted by Eddie Jones 2014-06-10 +nid.io + +// Opera Software, A.S.A. +// Submitted by Yngve Pettersen 2009-11-26 +operaunite.com + +// OutSystems +// Submitted by Duarte Santos 2014-03-11 +outsystemscloud.com + +// .pl domains (grandfathered) +art.pl +gliwice.pl +krakow.pl +poznan.pl +wroc.pl +zakopane.pl + +// Red Hat, Inc. OpenShift : https://openshift.redhat.com/ +// Submitted by Tim Kramer 2012-10-24 +rhcloud.com + +// GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains +// Submitted by David Illsley 2014-08-28 +service.gov.uk + +// priv.at : http://www.nic.priv.at/ +// Submitted by registry 2008-06-09 +priv.at + +// TASK geographical domains (www.task.gda.pl/uslugi/dns) +gda.pl +gdansk.pl +gdynia.pl +med.pl +sopot.pl + +// UDR Limited : http://www.udr.hk.com +// Submitted by registry 2014-11-07 +hk.com +hk.org +ltd.hk +inc.hk + +// Yola : https://www.yola.com/ +// Submitted by Stefano Rivera 2014-07-09 +yolasite.com + +// ZaNiC : http://www.za.net/ +// Submitted by registry 2009-10-03 +za.net +za.org + +// ===END PRIVATE DOMAINS=== \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/.pmd b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/.pmd deleted file mode 100644 index b4dd643621..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/.pmd +++ /dev/null @@ -1,1262 +0,0 @@ - - - false - .ruleset - - - IfStmtsMustUseBraces - Braces - - - IfElseStmtsMustUseBraces - Braces - - - WhileLoopsMustUseBraces - Braces - - - ForLoopsMustUseBraces - Braces - - - UnnecessaryConstructor - Controversial - - - NullAssignment - Controversial - - - OnlyOneReturn - Controversial - - - AssignmentInOperand - Controversial - - - AtLeastOneConstructor - Controversial - - - DontImportSun - Controversial - - - SuspiciousOctalEscape - Controversial - - - CallSuperInConstructor - Controversial - - - UnnecessaryParentheses - Controversial - - - DefaultPackage - Controversial - - - BooleanInversion - Controversial - - - DataflowAnomalyAnalysis - Controversial - - - AvoidFinalLocalVariable - Controversial - - - AvoidUsingShortType - Controversial - - - AvoidUsingVolatile - Controversial - - - AvoidUsingNativeCode - Controversial - - - AvoidAccessibilityAlteration - Controversial - - - DoNotCallGarbageCollectionExplicitly - Controversial - - - OneDeclarationPerLine - Controversial - - - AvoidPrefixingMethodParameters - Controversial - - - AvoidLiteralsInIfCondition - Controversial - - - UseObjectForClearerAPI - Controversial - - - UseConcurrentHashMap - Controversial - - - UnusedPrivateField - Unused Code - - - UnusedLocalVariable - Unused Code - - - UnusedPrivateMethod - Unused Code - - - UnusedFormalParameter - Unused Code - - - UnusedModifier - Unused Code - - - MethodReturnsInternalArray - Security Code Guidelines - - - ArrayIsStoredDirectly - Security Code Guidelines - - - ProperCloneImplementation - Clone Implementation - - - CloneThrowsCloneNotSupportedException - Clone Implementation - - - CloneMethodMustImplementCloneable - Clone Implementation - - - JUnitStaticSuite - JUnit - - - JUnitSpelling - JUnit - - - JUnitAssertionsShouldIncludeMessage - JUnit - - - JUnitTestsShouldIncludeAssert - JUnit - - - TestClassWithoutTestCases - JUnit - - - UnnecessaryBooleanAssertion - JUnit - - - UseAssertEqualsInsteadOfAssertTrue - JUnit - - - UseAssertSameInsteadOfAssertTrue - JUnit - - - UseAssertNullInsteadOfAssertTrue - JUnit - - - SimplifyBooleanAssertion - JUnit - - - JUnitTestContainsTooManyAsserts - JUnit - - - UseAssertTrueInsteadOfAssertEquals - JUnit - - - CommentRequired - Comments - - - CommentSize - Comments - - - CommentContent - Comments - - - ShortVariable - Naming - - - LongVariable - Naming - - - ShortMethodName - Naming - - - VariableNamingConventions - Naming - - - MethodNamingConventions - Naming - - - ClassNamingConventions - Naming - - - AbstractNaming - Naming - - - AvoidDollarSigns - Naming - - - MethodWithSameNameAsEnclosingClass - Naming - - - SuspiciousHashcodeMethodName - Naming - - - SuspiciousConstantFieldName - Naming - - - SuspiciousEqualsMethodName - Naming - - - AvoidFieldNameMatchingTypeName - Naming - - - AvoidFieldNameMatchingMethodName - Naming - - - NoPackage - Naming - - - PackageCase - Naming - - - MisleadingVariableName - Naming - - - BooleanGetMethodName - Naming - - - ShortClassName - Naming - - - GenericsNaming - Naming - - - DuplicateImports - Import Statements - - - DontImportJavaLang - Import Statements - - - UnusedImports - Import Statements - - - ImportFromSamePackage - Import Statements - - - TooManyStaticImports - Import Statements - - - UnnecessaryFullyQualifiedName - Import Statements - - - ReplaceVectorWithList - Migration - - - ReplaceHashtableWithMap - Migration - - - ReplaceEnumerationWithIterator - Migration - - - AvoidEnumAsIdentifier - Migration - - - AvoidAssertAsIdentifier - Migration - - - IntegerInstantiation - Migration - - - ByteInstantiation - Migration - - - ShortInstantiation - Migration - - - LongInstantiation - Migration - - - JUnit4TestShouldUseBeforeAnnotation - Migration - - - JUnit4TestShouldUseAfterAnnotation - Migration - - - JUnit4TestShouldUseTestAnnotation - Migration - - - JUnit4SuitesShouldUseSuiteAnnotation - Migration - - - JUnitUseExpected - Migration - - - UnnecessaryParentheses - Controversial - - - UnnecessaryBlock - Unnecessary - - - DontNestJsfInJstlIteration - Basic JSF - - - MistypedCDATASection - Basic XML - - - EmptyCatchBlock - Empty Code - - - EmptyIfStmt - Empty Code - - - EmptyWhileStmt - Empty Code - - - EmptyTryBlock - Empty Code - - - EmptyFinallyBlock - Empty Code - - - EmptySwitchStatements - Empty Code - - - EmptySynchronizedBlock - Empty Code - - - EmptyStatementNotInLoop - Empty Code - - - EmptyInitializer - Empty Code - - - EmptyStatementBlock - Empty Code - - - EmptyStaticInitializer - Empty Code - - - CallSuperFirst - Android - - - CallSuperLast - Android - - - DoNotHardCodeSDCard - Android - - - JumbledIncrementer - Basic - - - ForLoopShouldBeWhileLoop - Basic - - - OverrideBothEqualsAndHashcode - Basic - - - DoubleCheckedLocking - Basic - - - ReturnFromFinallyBlock - Basic - - - UnconditionalIfStatement - Basic - - - BooleanInstantiation - Basic - - - CollapsibleIfStatements - Basic - - - ClassCastExceptionWithToArray - Basic - - - AvoidDecimalLiteralsInBigDecimalConstructor - Basic - - - MisplacedNullCheck - Basic - - - AvoidThreadGroup - Basic - - - BrokenNullCheck - Basic - - - BigIntegerInstantiation - Basic - - - AvoidUsingOctalValues - Basic - - - AvoidUsingHardCodedIP - Basic - - - CheckResultSet - Basic - - - AvoidMultipleUnaryOperators - Basic - - - ExtendsObject - Basic - - - CheckSkipResult - Basic - - - AvoidBranchingStatementAsLastInLoop - Basic - - - DontCallThreadRun - Basic - - - DontUseFloatTypeForLoopIndices - Basic - - - EmptyCatchBlock - Empty Code - - - EmptyIfStmt - Empty Code - - - EmptyWhileStmt - Empty Code - - - EmptyTryBlock - Empty Code - - - EmptyFinallyBlock - Empty Code - - - EmptySwitchStatements - Empty Code - - - EmptySynchronizedBlock - Empty Code - - - EmptyStatementNotInLoop - Empty Code - - - EmptyInitializer - Empty Code - - - EmptyStatementBlock - Empty Code - - - EmptyStaticInitializer - Empty Code - - - UnnecessaryConversionTemporary - Unnecessary - - - UnnecessaryReturn - Unnecessary - - - UnnecessaryFinalModifier - Unnecessary - - - UselessOverridingMethod - Unnecessary - - - UselessOperationOnImmutable - Unnecessary - - - UnusedNullCheckInEquals - Unnecessary - - - UselessParentheses - Unnecessary - - - CouplingBetweenObjects - Coupling - - - ExcessiveImports - Coupling - - - LooseCoupling - Coupling - - - LoosePackageCoupling - Coupling - - - LawOfDemeter - Coupling - - - UnnecessaryConversionTemporary - Unnecessary - - - UnnecessaryReturn - Unnecessary - - - UnnecessaryFinalModifier - Unnecessary - - - UselessOverridingMethod - Unnecessary - - - UselessOperationOnImmutable - Unnecessary - - - UnusedNullCheckInEquals - Unnecessary - - - UselessParentheses - Unnecessary - - - NoLongScripts - Basic JSP - - - NoScriptlets - Basic JSP - - - NoInlineStyleInformation - Basic JSP - - - NoClassAttribute - Basic JSP - - - NoJspForward - Basic JSP - - - IframeMissingSrcAttribute - Basic JSP - - - NoHtmlComments - Basic JSP - - - DuplicateJspImports - Basic JSP - - - JspEncoding - Basic JSP - - - NoInlineScript - Basic JSP - - - AvoidCatchingThrowable - Strict Exceptions - - - SignatureDeclareThrowsException - Strict Exceptions - - - ExceptionAsFlowControl - Strict Exceptions - - - AvoidCatchingNPE - Strict Exceptions - - - AvoidThrowingRawExceptionTypes - Strict Exceptions - - - AvoidThrowingNullPointerException - Strict Exceptions - - - AvoidRethrowingException - Strict Exceptions - - - DoNotExtendJavaLangError - Strict Exceptions - - - DoNotThrowExceptionInFinally - Strict Exceptions - - - AvoidThrowingNewInstanceOfSameException - Strict Exceptions - - - AvoidCatchingGenericException - Strict Exceptions - - - AvoidLosingExceptionInformation - Strict Exceptions - - - UseCorrectExceptionLogging - Jakarta Commons Logging - - - ProperLogger - Jakarta Commons Logging - - - GuardDebugLogging - Jakarta Commons Logging - - - LocalVariableCouldBeFinal - Optimization - - - MethodArgumentCouldBeFinal - Optimization - - - AvoidInstantiatingObjectsInLoops - Optimization - - - UseArrayListInsteadOfVector - Optimization - - - SimplifyStartsWith - Optimization - - - UseStringBufferForStringAppends - Optimization - - - UseArraysAsList - Optimization - - - AvoidArrayLoops - Optimization - - - UnnecessaryWrapperObjectCreation - Optimization - - - AddEmptyString - Optimization - - - RedundantFieldInitializer - Optimization - - - PrematureDeclaration - Optimization - - - UseProperClassLoader - J2EE - - - MDBAndSessionBeanNamingConvention - J2EE - - - RemoteSessionInterfaceNamingConvention - J2EE - - - LocalInterfaceSessionNamingConvention - J2EE - - - LocalHomeNamingConvention - J2EE - - - RemoteInterfaceNamingConvention - J2EE - - - DoNotCallSystemExit - J2EE - - - StaticEJBFieldShouldBeFinal - J2EE - - - DoNotUseThreads - J2EE - - - AvoidDuplicateLiterals - String and StringBuffer - - - StringInstantiation - String and StringBuffer - - - StringToString - String and StringBuffer - - - InefficientStringBuffering - String and StringBuffer - - - UnnecessaryCaseChange - String and StringBuffer - - - UseStringBufferLength - String and StringBuffer - - - AppendCharacterWithChar - String and StringBuffer - - - ConsecutiveLiteralAppends - String and StringBuffer - - - UseIndexOfChar - String and StringBuffer - - - InefficientEmptyStringCheck - String and StringBuffer - - - InsufficientStringBufferDeclaration - String and StringBuffer - - - UselessStringValueOf - String and StringBuffer - - - StringBufferInstantiationWithChar - String and StringBuffer - - - UseEqualsToCompareStrings - String and StringBuffer - - - AvoidStringBufferField - String and StringBuffer - - - MoreThanOneLogger - Java Logging - - - LoggerIsNotStaticFinal - Java Logging - - - SystemPrintln - Java Logging - - - AvoidPrintStackTrace - Java Logging - - - UseConcatOnce - XPath in XSL - - - AvoidAxisNavigation - XPath in XSL - - - AssignmentInOperand - Controversial - - - UnreachableCode - Basic Ecmascript - - - InnaccurateNumericLiteral - Basic Ecmascript - - - ConsistentReturn - Basic Ecmascript - - - ScopeForInVariable - Basic Ecmascript - - - EqualComparison - Basic Ecmascript - - - GlobalVariable - Basic Ecmascript - - - AvoidTrailingComma - Basic Ecmascript - - - IfStmtsMustUseBraces - Braces - - - WhileLoopsMustUseBraces - Braces - - - IfElseStmtsMustUseBraces - Braces - - - ForLoopsMustUseBraces - Braces - - - EmptyFinalizer - Finalizer - - - FinalizeOnlyCallsSuperFinalize - Finalizer - - - FinalizeOverloaded - Finalizer - - - FinalizeDoesNotCallSuperFinalize - Finalizer - - - FinalizeShouldBeProtected - Finalizer - - - AvoidCallingFinalize - Finalizer - - - UseSingleton - Design - - - SimplifyBooleanReturns - Design - - - SimplifyBooleanExpressions - Design - - - SwitchStmtsShouldHaveDefault - Design - - - AvoidDeeplyNestedIfStmts - Design - - - AvoidReassigningParameters - Design - - - SwitchDensity - Design - - - ConstructorCallsOverridableMethod - Design - - - AccessorClassGeneration - Design - - - FinalFieldCouldBeStatic - Design - - - CloseResource - Design - - - NonStaticInitializer - Design - - - DefaultLabelNotLastInSwitchStmt - Design - - - NonCaseLabelInSwitchStatement - Design - - - OptimizableToArrayCall - Design - - - BadComparison - Design - - - EqualsNull - Design - - - ConfusingTernary - Design - - - InstantiationToGetClass - Design - - - IdempotentOperations - Design - - - SimpleDateFormatNeedsLocale - Design - - - ImmutableField - Design - - - UseLocaleWithCaseConversions - Design - - - AvoidProtectedFieldInFinalClass - Design - - - AssignmentToNonFinalStatic - Design - - - MissingStaticMethodInNonInstantiatableClass - Design - - - AvoidSynchronizedAtMethodLevel - Design - - - MissingBreakInSwitch - Design - - - UseNotifyAllInsteadOfNotify - Design - - - AvoidInstanceofChecksInCatchClause - Design - - - AbstractClassWithoutAbstractMethod - Design - - - SimplifyConditional - Design - - - CompareObjectsWithEquals - Design - - - PositionLiteralsFirstInComparisons - Design - - - UnnecessaryLocalBeforeReturn - Design - - - NonThreadSafeSingleton - Design - - - UncommentedEmptyMethod - Design - - - UncommentedEmptyConstructor - Design - - - AvoidConstantsInterface - Design - - - UnsynchronizedStaticDateFormatter - Design - - - PreserveStackTrace - Design - - - UseCollectionIsEmpty - Design - - - ClassWithOnlyPrivateConstructorsShouldBeFinal - Design - - - EmptyMethodInAbstractClassShouldBeAbstract - Design - - - SingularField - Design - - - ReturnEmptyArrayRatherThanNull - Design - - - AbstractClassWithoutAnyMethod - Design - - - TooFewBranchesForASwitchStatement - Design - - - LogicInversion - Design - - - UseVarargs - Design - - - FieldDeclarationsShouldBeAtStartOfClass - Design - - - GodClass - Design - - - NPathComplexity - Code Size - - - ExcessiveMethodLength - Code Size - - - ExcessiveParameterList - Code Size - - - ExcessiveClassLength - Code Size - - - CyclomaticComplexity - Code Size - - - ExcessivePublicCount - Code Size - - - TooManyFields - Code Size - - - NcssMethodCount - Code Size - - - NcssTypeCount - Code Size - - - NcssConstructorCount - Code Size - - - TooManyMethods - Code Size - - - BeanMembersShouldSerialize - JavaBeans - - - MissingSerialVersionUID - JavaBeans - - - false - true - true - diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/dependency-reduced-pom.xml b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/dependency-reduced-pom.xml deleted file mode 100644 index 11efb2f0d5..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/dependency-reduced-pom.xml +++ /dev/null @@ -1,230 +0,0 @@ - - - - managed-threat - cisco - 0.0.4-SNAPSHOT - - 4.0.0 - cisco-hbase - cisco-hbase - - - org.apache.hbase - hbase-client - 0.96.0.2.0.6.0-76-hadoop2 - provided - - - hbase-common - org.apache.hbase - - - hbase-protocol - org.apache.hbase - - - commons-codec - commons-codec - - - commons-io - commons-io - - - commons-lang - commons-lang - - - commons-logging - commons-logging - - - guava - com.google.guava - - - protobuf-java - com.google.protobuf - - - netty - io.netty - - - zookeeper - org.apache.zookeeper - - - htrace-core - org.cloudera.htrace - - - jackson-mapper-asl - org.codehaus.jackson - - - hadoop-auth - org.apache.hadoop - - - hadoop-mapreduce-client-core - org.apache.hadoop - - - hadoop-annotations - org.apache.hadoop - - - findbugs-annotations - com.github.stephenc.findbugs - - - junit - junit - - - - - org.apache.hadoop - hadoop-common - 2.2.0.2.0.6.0-76 - provided - - - commons-cli - commons-cli - - - commons-math - org.apache.commons - - - xmlenc - xmlenc - - - commons-httpclient - commons-httpclient - - - commons-net - commons-net - - - servlet-api - javax.servlet - - - jetty - org.mortbay.jetty - - - jetty-util - org.mortbay.jetty - - - jersey-core - com.sun.jersey - - - jersey-json - com.sun.jersey - - - jersey-server - com.sun.jersey - - - jasper-compiler - tomcat - - - jasper-runtime - tomcat - - - jsp-api - javax.servlet.jsp - - - commons-el - commons-el - - - jets3t - net.java.dev.jets3t - - - commons-configuration - commons-configuration - - - slf4j-api - org.slf4j - - - slf4j-log4j12 - org.slf4j - - - jackson-core-asl - org.codehaus.jackson - - - avro - org.apache.avro - - - jsch - com.jcraft - - - commons-compress - org.apache.commons - - - hadoop-annotations - org.apache.hadoop - - - guava - com.google.guava - - - commons-codec - commons-codec - - - commons-io - commons-io - - - commons-logging - commons-logging - - - commons-lang - commons-lang - - - jackson-mapper-asl - org.codehaus.jackson - - - protobuf-java - com.google.protobuf - - - hadoop-auth - org.apache.hadoop - - - zookeeper - org.apache.zookeeper - - - - - - diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/pom.xml b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/pom.xml deleted file mode 100644 index f1f471f8c6..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/pom.xml +++ /dev/null @@ -1,137 +0,0 @@ - - 4.0.0 - - com.cisco.opensoc - opensoc - 0.1.3-SNAPSHOT - ../../../pom.xml - - opensoc-hbase - - - - commons-beanutils - commons-beanutils - ${commons-beanutils.version} - - - org.apache.commons - commons-jexl - ${commons-jexl.version} - - - - commons-configuration - commons-configuration - ${commons-configuration.version} - - - junit - junit - ${junit.version} - test - - - org.powermock - powermock-api-mockito - 1.5 - test - - - org.powermock - powermock-core - 1.5 - test - - - org.powermock - powermock-module-junit4 - 1.5 - test - - - joda-time - joda-time - 2.3 - - - org.apache.hbase - hbase-client - ${hbase.version} - provided - - - org.apache.hbase - hbase-testing-util - ${hbase.version} - provided - - - org.apache.hadoop - hadoop-common - ${hadoop.version} - provided - - - org.apache.hadoop - hadoop-hdfs - ${hadoop.version} - provided - - - com.cisco.opensoc - opensoc-common - ${project.parent.version} - - - com.cisco.opensoc - opensoc-pcap - ${project.parent.version} - - - org.apache.hadoop - hadoop-mapreduce-client-common - - - org.apache.hadoop - hadoop-common - - - org.apache.hadoop - hadoop-core - - - - - org.springframework.integration - spring-integration-http - ${spring.integration.version} - - - org.springframework - spring-webmvc - ${spring.version} - - - log4j - log4j - ${logger.version} - - - com.sun.jmx - jmxri - - - com.sun.jdmk - jmxtools - - - javax.jms - jms - - - - - - \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapReceiver.java b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapReceiver.java deleted file mode 100644 index a06ba6e550..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/IPcapReceiver.java +++ /dev/null @@ -1,109 +0,0 @@ -package com.cisco.opensoc.hbase.client; - -import java.io.IOException; -import java.util.List; - -import org.springframework.http.ResponseEntity; -import org.springframework.web.bind.annotation.RequestParam; - -/** - * Single point of entry for all REST calls. Exposes methods to fetch pcaps for - * the given list of keys or range of keys and optional start time and end time. - * If the caller doesn't provide start time and end time, all pcaps from - * beginning of the time to until now are returned. - * - * @author Sayi - * - */ -public interface IPcapReceiver { - - /** - * Gets the pcaps for the given list of keys and optional startTime and - * endTime. - * - * @param keys - * the list of keys for which pcaps are to be retrieved - * @param lastRowKey - * last row key from the previous partial response - * @param startTime - * the start time in system milliseconds to be used to filter the - * pcaps. - * @param endTime - * the end time in system milliseconds to be used to filter the - * pcaps. The default value is set to Long.MAX_VALUE. 'endTime' must - * be greater than the 'startTime'. - * @param includeReverseTraffic - * indicates whether or not to include pcaps from the reverse traffic - * @param includeDuplicateLastRow - * indicates whether or not to include the last row from the previous - * partial response - * @param maxResponseSize - * indicates the maximum response size in MegaBytes. User needs to - * pass positive value and must be less than 60 (MB) - * @return byte array with all matching pcaps merged together - * @throws IOException - * Signals that an I/O exception has occurred. - */ - public ResponseEntity getPcapsByKeys(@RequestParam List keys, - @RequestParam String lastRowKey, @RequestParam long startTime, - @RequestParam long endTime, @RequestParam boolean includeReverseTraffic, - @RequestParam boolean includeDuplicateLastRow, - @RequestParam String maxResponseSize) throws IOException; - - /** - * get pcaps for a given key range. - * - * @param startKey - * the start key of a key range for which pcaps are to be retrieved - * @param endKey - * the end key of a key range for which pcaps are to be retrieved - * @param maxResponseSize - * indicates the maximum response size in MegaBytes. User needs to - * pass positive value and must be less than 60 (MB) - * @param startTime - * the start time in system milliseconds to be used to filter the - * pcaps. - * @param endTime - * the end time in system milliseconds to be used to filter the - * pcaps. 'endTime' must be greater than the 'startTime'. - * @return byte array with all matching pcaps merged together - * @throws IOException - * Signals that an I/O exception has occurred. - */ - public ResponseEntity getPcapsByKeyRange( - @RequestParam String startKey, @RequestParam String endKey, - @RequestParam String maxResponseSize, @RequestParam long startTime, - @RequestParam long endTime) throws IOException; - - /** - * get pcaps for the given identifiers. - * - * @param srcIp - * source ip address - * @param destIp - * destination ip address - * @param protocol - * network protocol - * @param srcPort - * source port - * @param destPort - * destination port - * @param startTime - * the start time in system milliseconds to be used to filter the - * pcaps. - * @param endTime - * the end time in system milliseconds to be used to filter the - * pcaps. 'endTime' must be greater than the 'startTime'. - * @param includeReverseTraffic - * indicates whether or not to include pcaps from the reverse traffic - * @return byte array with all matching pcaps merged together - * @throws IOException - * Signals that an I/O exception has occurred. - */ - public ResponseEntity getPcapsByIdentifiers( - @RequestParam String srcIp, @RequestParam String destIp, - @RequestParam String protocol, @RequestParam String srcPort, - @RequestParam String destPort, @RequestParam long startTime, - @RequestParam long endTime, @RequestParam boolean includeReverseTraffic) - throws IOException; -} diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapReceiverImpl.java b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapReceiverImpl.java deleted file mode 100644 index f6eeab259b..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/java/com/cisco/opensoc/hbase/client/PcapReceiverImpl.java +++ /dev/null @@ -1,212 +0,0 @@ -package com.cisco.opensoc.hbase.client; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - -import org.apache.commons.lang.StringUtils; -import org.apache.log4j.Logger; -import org.springframework.http.HttpStatus; -import org.springframework.http.ResponseEntity; -import org.springframework.stereotype.Controller; -import org.springframework.util.Assert; -import org.springframework.util.LinkedMultiValueMap; -import org.springframework.util.MultiValueMap; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestParam; - -import com.cisco.opensoc.pcap.parsing.PcapUtils; -import com.google.common.annotations.VisibleForTesting; - -/** - * Single point of entry for all REST calls. Exposes methods to fetch pcaps for - * the given list of keys or range of keys and optional start time and end time. - * If the caller doesn't provide start time and end time, all pcaps from - * beginning of the time to until now are returned. - * - * @author Sayi - * - */ -@Controller -public class PcapReceiverImpl implements IPcapReceiver { - - /** The Constant LOGGER. */ - private static final Logger LOGGER = Logger.getLogger(PcapReceiverImpl.class); - - /** The Constant HEADER_CONTENT_DISPOSITION_NAME. */ - private static final String HEADER_CONTENT_DISPOSITION_NAME = "Content-Disposition"; - - /** The Constant HEADER_CONTENT_DISPOSITION_VALUE. */ - private static final String HEADER_CONTENT_DISPOSITION_VALUE = "attachment; filename=\"managed-threat.pcap\""; - - /** partial response key header name. */ - private static final String HEADER_PARTIAL_RESPONE_KEY = "lastRowKey"; - - /* - * (non-Javadoc) - * - * @see com.cisco.opensoc.hbase.client.IPcapReceiver#getPcapsByKeys(java.util.List, - * java.lang.String, long, long, boolean, boolean, - * javax.servlet.http.HttpServletResponse) - */ - @Override - @RequestMapping(value = "/pcapGetter/getPcapsByKeys", produces = "application/octet-stream") - public ResponseEntity getPcapsByKeys( - @RequestParam(required = false) List keys, - @RequestParam(required = false) String lastRowKey, - @RequestParam(defaultValue = "-1") long startTime, - @RequestParam(defaultValue = "-1") long endTime, - @RequestParam(required = false) boolean includeDuplicateLastRow, - @RequestParam(defaultValue = "false") boolean includeReverseTraffic, - @RequestParam(required = false) String maxResponseSize) - throws IOException { - Assert.notEmpty(keys, "'keys' must not be null or empty"); - PcapsResponse pcapResponse = null; - MultiValueMap headers = new LinkedMultiValueMap(); - try { - IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); - pcapResponse = pcapGetter.getPcaps(parseKeys(keys), lastRowKey, - startTime, endTime, includeReverseTraffic, includeDuplicateLastRow, - ConfigurationUtil.validateMaxResultSize(maxResponseSize)); - LOGGER.info("pcaps response in REST layer =" + pcapResponse.toString()); - - // return http status '204 No Content' if the pcaps response size is 0 - if (pcapResponse == null || pcapResponse.getResponseSize() == 0) { - return new ResponseEntity(HttpStatus.NO_CONTENT); - } - - // return http status '206 Partial Content', the partial response file and - // 'lastRowKey' header , if the pcaps response status is 'PARTIAL' - headers.add(HEADER_CONTENT_DISPOSITION_NAME, - HEADER_CONTENT_DISPOSITION_VALUE); - if (pcapResponse.getStatus() == PcapsResponse.Status.PARTIAL) { - headers.add(HEADER_PARTIAL_RESPONE_KEY, - pcapResponse.getLastRowKey()); - return new ResponseEntity(pcapResponse.getPcaps(), headers, - HttpStatus.PARTIAL_CONTENT); - } - - } catch (IOException e) { - LOGGER.error("Exception occurred while fetching Pcaps for the keys :" - + keys.toString(), e); - throw e; - } - - // return http status '200 OK' along with the complete pcaps response file, - // and headers - return new ResponseEntity(pcapResponse.getPcaps(), headers, - HttpStatus.OK); - } - - /* - * (non-Javadoc) - * - * @see - * com.cisco.opensoc.hbase.client.IPcapReceiver#getPcapsByKeyRange(java.lang.String - * , java.lang.String, java.lang.String, long, long, - * javax.servlet.http.HttpServletResponse) - */ - @Override - @RequestMapping(value = "/pcapGetter/getPcapsByKeyRange", produces = "application/octet-stream") - public ResponseEntity getPcapsByKeyRange( - @RequestParam String startKey, - @RequestParam(required = false) String endKey, - @RequestParam(required = false) String maxResponseSize, - @RequestParam(defaultValue = "-1") long startTime, - @RequestParam(defaultValue = "-1") long endTime) throws IOException { - Assert.hasText(startKey, "'startKey' must not be null or empty"); - MultiValueMap headers = new LinkedMultiValueMap(); - byte[] response = null; - try { - IPcapScanner pcapScanner = PcapScannerHBaseImpl.getInstance(); - response = pcapScanner.getPcaps(startKey, endKey, - ConfigurationUtil.validateMaxResultSize(maxResponseSize), startTime, - endTime); - if (response == null || response.length == 0) { - return new ResponseEntity(HttpStatus.NO_CONTENT); - } - headers.add(HEADER_CONTENT_DISPOSITION_NAME, - HEADER_CONTENT_DISPOSITION_VALUE); - - } catch (IOException e) { - LOGGER.error( - "Exception occurred while fetching Pcaps for the key range : startKey=" - + startKey + ", endKey=" + endKey, e); - throw e; - } - // return http status '200 OK' along with the complete pcaps response file, - // and headers - return new ResponseEntity(response, headers, HttpStatus.OK); - } - - /* - * (non-Javadoc) - * - * @see - * com.cisco.opensoc.hbase.client.IPcapReceiver#getPcapsByIdentifiers(java.lang - * .String, java.lang.String, java.lang.String, java.lang.String, - * java.lang.String, long, long, boolean, - * javax.servlet.http.HttpServletResponse) - */ - @Override - @RequestMapping(value = "/pcapGetter/getPcapsByIdentifiers", produces = "application/octet-stream") - public ResponseEntity getPcapsByIdentifiers( - @RequestParam String srcIp, @RequestParam String dstIp, - @RequestParam String protocol, @RequestParam String srcPort, - @RequestParam String dstPort, - @RequestParam(defaultValue = "-1") long startTime, - @RequestParam(defaultValue = "-1") long endTime, - @RequestParam(defaultValue = "false") boolean includeReverseTraffic) - throws IOException { - Assert.hasText(srcIp, "'srcIp' must not be null or empty"); - Assert.hasText(dstIp, "'dstIp' must not be null or empty"); - Assert.hasText(protocol, "'protocol' must not be null or empty"); - Assert.hasText(srcPort, "'srcPort' must not be null or empty"); - Assert.hasText(dstPort, "'dstPort' must not be null or empty"); - MultiValueMap headers = new LinkedMultiValueMap(); - PcapsResponse response = null; - try { - String sessionKey = PcapUtils.getSessionKey(srcIp, dstIp, protocol, - srcPort, dstPort); - LOGGER.info("sessionKey =" + sessionKey); - IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); - response = pcapGetter.getPcaps(Arrays.asList(sessionKey), null, - startTime, endTime, includeReverseTraffic, false, - ConfigurationUtil.getDefaultResultSize()); - if (response == null || response.getResponseSize() == 0) { - return new ResponseEntity(HttpStatus.NO_CONTENT); - } - headers.add(HEADER_CONTENT_DISPOSITION_NAME, - HEADER_CONTENT_DISPOSITION_VALUE); - - } catch (IOException e) { - LOGGER.error("Exception occurred while fetching Pcaps by identifiers :", - e); - throw e; - } - // return http status '200 OK' along with the complete pcaps response file, - // and headers - return new ResponseEntity(response.getPcaps(), headers, - HttpStatus.OK); - } - - /** - * This method parses the each value in the List using delimiter ',' and - * builds a new List;. - * - * @param keys - * list of keys to be parsed - * @return list of keys - */ - @VisibleForTesting - List parseKeys(List keys) { - Assert.notEmpty(keys); - List parsedKeys = new ArrayList(); - for (String key : keys) { - parsedKeys.addAll(Arrays.asList(StringUtils.split(StringUtils.trim(key), - ","))); - } - return parsedKeys; - } -} diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapReceiverImplTest.java b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapReceiverImplTest.java deleted file mode 100644 index f59bea62ad..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapReceiverImplTest.java +++ /dev/null @@ -1,232 +0,0 @@ -/** - * - */ -package com.cisco.opensoc.hbase.client; - -import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.List; - -import org.junit.After; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.ExpectedException; -import org.junit.runner.RunWith; -import org.mockito.Mockito; -import org.powermock.api.mockito.PowerMockito; -import org.powermock.core.classloader.annotations.PrepareForTest; -import org.powermock.modules.junit4.PowerMockRunner; -import org.springframework.http.HttpStatus; -import org.springframework.http.ResponseEntity; -import org.springframework.util.Assert; - -import com.cisco.opensoc.hbase.client.PcapGetterHBaseImpl; -import com.cisco.opensoc.hbase.client.PcapReceiverImpl; -import com.cisco.opensoc.hbase.client.PcapsResponse; - -// TODO: Auto-generated Javadoc -/** - * The Class PcapReceiverImplTest. - * - * @author Sayi - */ -@RunWith(PowerMockRunner.class) -@PrepareForTest(PcapGetterHBaseImpl.class) -public class PcapReceiverImplTest { - - /** The pcap receiver. */ - PcapReceiverImpl pcapReceiver = new PcapReceiverImpl(); - - /** The exception. */ - @Rule - public ExpectedException exception = ExpectedException.none(); - - /** - * Sets the up. - * - * @throws Exception - * the exception - */ - @Before - public void setUp() throws Exception { - } - - /** - * Tear down. - * - * @throws Exception - * the exception - */ - @After - public void tearDown() throws Exception { - } - - /** - * Test parse keys_single. - */ - @Test - public void testParseKeys_single() { - String[] keysArr = { "234234234,565675675" }; - List keysList = Arrays.asList(keysArr); - List parsedKeys = pcapReceiver.parseKeys(keysList); - Assert.isTrue(parsedKeys.size() == 2); - } - - /** - * Test parse keys_multiple. - */ - @Test - public void testParseKeys_multiple() { - String[] keysArr = { "234234234,565675675", "675757,234242" }; - List keysList = Arrays.asList(keysArr); - List parsedKeys = pcapReceiver.parseKeys(keysList); - Assert.isTrue(parsedKeys.size() == 4); - } - - /** - * Test parse keys_empty. - */ - @Test - public void testParseKeys_empty() { - exception.expect(IllegalArgumentException.class); - pcapReceiver.parseKeys(Collections. emptyList()); - } - - /** - * Test parse keys_null. - */ - @Test - public void testParseKeys_null() { - exception.expect(IllegalArgumentException.class); - pcapReceiver.parseKeys(null); - } - - /** - * Test_get pcaps by keys_complete response. - * - * @throws IOException - * Signals that an I/O exception has occurred. - */ - @Test - public void test_getPcapsByKeys_completeResponse() throws IOException { - // mocking - String[] keysArry = { "0a07002b-0a078039-06-1e8b-0087", - "0a070025-0a07807a-06-aab8-c360" }; - List keys = Arrays.asList(keysArry); - String lastRowKey = null; - long startTime = 1376782349234555L; - long endTime = 1396782349234555L; - PcapsResponse response = new PcapsResponse(); - response.setStatus(PcapsResponse.Status.COMPLETE); - List pcaps = new ArrayList(); - byte[] pcap = { 12, 123 }; - pcaps.add(pcap); - response.setPcaps(pcaps); - - PcapGetterHBaseImpl pcapGetter = Mockito.mock(PcapGetterHBaseImpl.class); - - PowerMockito.mockStatic(PcapGetterHBaseImpl.class); - PowerMockito.when(PcapGetterHBaseImpl.getInstance()).thenReturn(pcapGetter); - PowerMockito.when( - pcapGetter.getPcaps(keys, lastRowKey, startTime, endTime, - false, false, 6291456)).thenReturn(response); - - PcapReceiverImpl restImpl = new PcapReceiverImpl(); - - // actual call - ResponseEntity result = restImpl.getPcapsByKeys(keys, - lastRowKey, startTime, endTime, false, false, null); - - // verify - Assert.notNull(result); - Assert.notNull(result.getBody()); - Assert.isTrue(result.getStatusCode() == HttpStatus.OK); - Assert.isTrue(result.getHeaders().size() == 1); // 'Content-Disposition' - } - - /** - * Test_get pcaps by keys_partial response. - * - * @throws IOException - * Signals that an I/O exception has occurred. - */ - @Test - public void test_getPcapsByKeys_partialResponse() throws IOException { - // mocking - String[] keysArry = { "0a07002b-0a078039-06-1e8b-0087", - "0a070025-0a07807a-06-aab8-c360" }; - List keys = Arrays.asList(keysArry); - String lastRowKey = null; - long startTime = 1376782349234555L; - long endTime = 1396782349234555L; - PcapsResponse response = new PcapsResponse(); - response.setStatus(PcapsResponse.Status.PARTIAL); - List pcaps = new ArrayList(); - byte[] pcap = { 12, 123 }; - pcaps.add(pcap); - response.setPcaps(pcaps); - - PcapGetterHBaseImpl pcapGetter = Mockito.mock(PcapGetterHBaseImpl.class); - - PowerMockito.mockStatic(PcapGetterHBaseImpl.class); - PowerMockito.when(PcapGetterHBaseImpl.getInstance()).thenReturn(pcapGetter); - PowerMockito.when( - pcapGetter.getPcaps(keys, lastRowKey, startTime, endTime, - false, false, 6291456)).thenReturn(response); - - PcapReceiverImpl restImpl = new PcapReceiverImpl(); - - // actual call - ResponseEntity result = restImpl.getPcapsByKeys(keys, - lastRowKey, startTime, endTime, false, false, null); - - // verify - Assert.notNull(result); - Assert.notNull(result.getBody()); - Assert.isTrue(result.getStatusCode() == HttpStatus.PARTIAL_CONTENT); - Assert.isTrue(result.getHeaders().size() == 2); // 'lastRowKey', - // 'Content-Disposition' - } - - /** - * Test_get pcaps by keys_partial no content. - * - * @throws IOException - * Signals that an I/O exception has occurred. - */ - @Test - public void test_getPcapsByKeys_partialNoContent() throws IOException { - // mocking - String[] keysArry = { "0a07002b-0a078039-06-1e8b-0087", - "0a070025-0a07807a-06-aab8-c360" }; - List keys = Arrays.asList(keysArry); - String lastRowKey = null; - long startTime = 1376782349234555L; - long endTime = 1396782349234555L; - PcapsResponse response = new PcapsResponse(); - - PcapGetterHBaseImpl pcapGetter = Mockito.mock(PcapGetterHBaseImpl.class); - - PowerMockito.mockStatic(PcapGetterHBaseImpl.class); - PowerMockito.when(PcapGetterHBaseImpl.getInstance()).thenReturn(pcapGetter); - PowerMockito.when( - pcapGetter.getPcaps(keys, lastRowKey, startTime, endTime, - false, false, 6291456)).thenReturn(response); - - PcapReceiverImpl restImpl = new PcapReceiverImpl(); - - // actual call - ResponseEntity result = restImpl.getPcapsByKeys(keys, - lastRowKey, startTime, endTime, false, false, null); - - // verify - Assert.notNull(result); - Assert.isNull(result.getBody()); - Assert.isTrue(result.getStatusCode() == HttpStatus.NO_CONTENT); - Assert.isTrue(result.getHeaders().isEmpty()); - } - -} diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/.pmd b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/.pmd deleted file mode 100644 index 8a17775f7f..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/.pmd +++ /dev/null @@ -1,1190 +0,0 @@ - - - false - .ruleset - - - IfStmtsMustUseBraces - Braces - - - IfElseStmtsMustUseBraces - Braces - - - WhileLoopsMustUseBraces - Braces - - - ForLoopsMustUseBraces - Braces - - - UnnecessaryConstructor - Controversial - - - NullAssignment - Controversial - - - OnlyOneReturn - Controversial - - - AssignmentInOperand - Controversial - - - AtLeastOneConstructor - Controversial - - - DontImportSun - Controversial - - - SuspiciousOctalEscape - Controversial - - - CallSuperInConstructor - Controversial - - - UnnecessaryParentheses - Controversial - - - DefaultPackage - Controversial - - - BooleanInversion - Controversial - - - DataflowAnomalyAnalysis - Controversial - - - AvoidFinalLocalVariable - Controversial - - - AvoidUsingShortType - Controversial - - - AvoidUsingVolatile - Controversial - - - AvoidUsingNativeCode - Controversial - - - AvoidAccessibilityAlteration - Controversial - - - DoNotCallGarbageCollectionExplicitly - Controversial - - - OneDeclarationPerLine - Controversial - - - AvoidPrefixingMethodParameters - Controversial - - - AvoidLiteralsInIfCondition - Controversial - - - UseObjectForClearerAPI - Controversial - - - UseConcurrentHashMap - Controversial - - - UnusedPrivateField - Unused Code - - - UnusedLocalVariable - Unused Code - - - UnusedPrivateMethod - Unused Code - - - UnusedFormalParameter - Unused Code - - - UnusedModifier - Unused Code - - - MethodReturnsInternalArray - Security Code Guidelines - - - ArrayIsStoredDirectly - Security Code Guidelines - - - ProperCloneImplementation - Clone Implementation - - - CloneThrowsCloneNotSupportedException - Clone Implementation - - - CloneMethodMustImplementCloneable - Clone Implementation - - - JUnitStaticSuite - JUnit - - - JUnitSpelling - JUnit - - - JUnitAssertionsShouldIncludeMessage - JUnit - - - JUnitTestsShouldIncludeAssert - JUnit - - - TestClassWithoutTestCases - JUnit - - - UnnecessaryBooleanAssertion - JUnit - - - UseAssertEqualsInsteadOfAssertTrue - JUnit - - - UseAssertSameInsteadOfAssertTrue - JUnit - - - UseAssertNullInsteadOfAssertTrue - JUnit - - - SimplifyBooleanAssertion - JUnit - - - JUnitTestContainsTooManyAsserts - JUnit - - - UseAssertTrueInsteadOfAssertEquals - JUnit - - - CommentRequired - Comments - - - CommentSize - Comments - - - CommentContent - Comments - - - ShortVariable - Naming - - - LongVariable - Naming - - - ShortMethodName - Naming - - - VariableNamingConventions - Naming - - - MethodNamingConventions - Naming - - - ClassNamingConventions - Naming - - - AbstractNaming - Naming - - - AvoidDollarSigns - Naming - - - MethodWithSameNameAsEnclosingClass - Naming - - - SuspiciousHashcodeMethodName - Naming - - - SuspiciousConstantFieldName - Naming - - - SuspiciousEqualsMethodName - Naming - - - AvoidFieldNameMatchingTypeName - Naming - - - AvoidFieldNameMatchingMethodName - Naming - - - NoPackage - Naming - - - PackageCase - Naming - - - MisleadingVariableName - Naming - - - BooleanGetMethodName - Naming - - - ShortClassName - Naming - - - GenericsNaming - Naming - - - DuplicateImports - Import Statements - - - DontImportJavaLang - Import Statements - - - UnusedImports - Import Statements - - - ImportFromSamePackage - Import Statements - - - TooManyStaticImports - Import Statements - - - UnnecessaryFullyQualifiedName - Import Statements - - - ReplaceVectorWithList - Migration - - - ReplaceHashtableWithMap - Migration - - - ReplaceEnumerationWithIterator - Migration - - - AvoidEnumAsIdentifier - Migration - - - AvoidAssertAsIdentifier - Migration - - - IntegerInstantiation - Migration - - - ByteInstantiation - Migration - - - ShortInstantiation - Migration - - - LongInstantiation - Migration - - - JUnit4TestShouldUseBeforeAnnotation - Migration - - - JUnit4TestShouldUseAfterAnnotation - Migration - - - JUnit4TestShouldUseTestAnnotation - Migration - - - JUnit4SuitesShouldUseSuiteAnnotation - Migration - - - JUnitUseExpected - Migration - - - UnnecessaryParentheses - Unnecessary - - - UnnecessaryBlock - Unnecessary - - - DontNestJsfInJstlIteration - Basic JSF - - - MistypedCDATASection - Basic XML - - - CallSuperFirst - Android - - - CallSuperLast - Android - - - DoNotHardCodeSDCard - Android - - - JumbledIncrementer - Basic - - - ForLoopShouldBeWhileLoop - Basic - - - OverrideBothEqualsAndHashcode - Basic - - - DoubleCheckedLocking - Basic - - - ReturnFromFinallyBlock - Basic - - - UnconditionalIfStatement - Basic - - - BooleanInstantiation - Basic - - - CollapsibleIfStatements - Basic - - - ClassCastExceptionWithToArray - Basic - - - AvoidDecimalLiteralsInBigDecimalConstructor - Basic - - - MisplacedNullCheck - Basic - - - AvoidThreadGroup - Basic - - - BrokenNullCheck - Basic - - - BigIntegerInstantiation - Basic - - - AvoidUsingOctalValues - Basic - - - AvoidUsingHardCodedIP - Basic - - - CheckResultSet - Basic - - - AvoidMultipleUnaryOperators - Basic - - - ExtendsObject - Basic - - - CheckSkipResult - Basic - - - AvoidBranchingStatementAsLastInLoop - Basic - - - DontCallThreadRun - Basic - - - DontUseFloatTypeForLoopIndices - Basic - - - EmptyCatchBlock - Empty Code - - - EmptyIfStmt - Empty Code - - - EmptyWhileStmt - Empty Code - - - EmptyTryBlock - Empty Code - - - EmptyFinallyBlock - Empty Code - - - EmptySwitchStatements - Empty Code - - - EmptySynchronizedBlock - Empty Code - - - EmptyStatementNotInLoop - Empty Code - - - EmptyInitializer - Empty Code - - - EmptyStatementBlock - Empty Code - - - EmptyStaticInitializer - Empty Code - - - CouplingBetweenObjects - Coupling - - - ExcessiveImports - Coupling - - - LooseCoupling - Coupling - - - LoosePackageCoupling - Coupling - - - LawOfDemeter - Coupling - - - UnnecessaryConversionTemporary - Unnecessary - - - UnnecessaryReturn - Unnecessary - - - UnnecessaryFinalModifier - Unnecessary - - - UselessOverridingMethod - Unnecessary - - - UselessOperationOnImmutable - Unnecessary - - - UnusedNullCheckInEquals - Unnecessary - - - UselessParentheses - Unnecessary - - - NoLongScripts - Basic JSP - - - NoScriptlets - Basic JSP - - - NoInlineStyleInformation - Basic JSP - - - NoClassAttribute - Basic JSP - - - NoJspForward - Basic JSP - - - IframeMissingSrcAttribute - Basic JSP - - - NoHtmlComments - Basic JSP - - - DuplicateJspImports - Basic JSP - - - JspEncoding - Basic JSP - - - NoInlineScript - Basic JSP - - - AvoidCatchingThrowable - Strict Exceptions - - - SignatureDeclareThrowsException - Strict Exceptions - - - ExceptionAsFlowControl - Strict Exceptions - - - AvoidCatchingNPE - Strict Exceptions - - - AvoidThrowingRawExceptionTypes - Strict Exceptions - - - AvoidThrowingNullPointerException - Strict Exceptions - - - AvoidRethrowingException - Strict Exceptions - - - DoNotExtendJavaLangError - Strict Exceptions - - - DoNotThrowExceptionInFinally - Strict Exceptions - - - AvoidThrowingNewInstanceOfSameException - Strict Exceptions - - - AvoidCatchingGenericException - Strict Exceptions - - - AvoidLosingExceptionInformation - Strict Exceptions - - - UseCorrectExceptionLogging - Jakarta Commons Logging - - - ProperLogger - Jakarta Commons Logging - - - GuardDebugLogging - Jakarta Commons Logging - - - LocalVariableCouldBeFinal - Optimization - - - MethodArgumentCouldBeFinal - Optimization - - - AvoidInstantiatingObjectsInLoops - Optimization - - - UseArrayListInsteadOfVector - Optimization - - - SimplifyStartsWith - Optimization - - - UseStringBufferForStringAppends - Optimization - - - UseArraysAsList - Optimization - - - AvoidArrayLoops - Optimization - - - UnnecessaryWrapperObjectCreation - Optimization - - - AddEmptyString - Optimization - - - RedundantFieldInitializer - Optimization - - - PrematureDeclaration - Optimization - - - UseProperClassLoader - J2EE - - - MDBAndSessionBeanNamingConvention - J2EE - - - RemoteSessionInterfaceNamingConvention - J2EE - - - LocalInterfaceSessionNamingConvention - J2EE - - - LocalHomeNamingConvention - J2EE - - - RemoteInterfaceNamingConvention - J2EE - - - DoNotCallSystemExit - J2EE - - - StaticEJBFieldShouldBeFinal - J2EE - - - DoNotUseThreads - J2EE - - - AvoidDuplicateLiterals - String and StringBuffer - - - StringInstantiation - String and StringBuffer - - - StringToString - String and StringBuffer - - - InefficientStringBuffering - String and StringBuffer - - - UnnecessaryCaseChange - String and StringBuffer - - - UseStringBufferLength - String and StringBuffer - - - AppendCharacterWithChar - String and StringBuffer - - - ConsecutiveLiteralAppends - String and StringBuffer - - - UseIndexOfChar - String and StringBuffer - - - InefficientEmptyStringCheck - String and StringBuffer - - - InsufficientStringBufferDeclaration - String and StringBuffer - - - UselessStringValueOf - String and StringBuffer - - - StringBufferInstantiationWithChar - String and StringBuffer - - - UseEqualsToCompareStrings - String and StringBuffer - - - AvoidStringBufferField - String and StringBuffer - - - MoreThanOneLogger - Java Logging - - - LoggerIsNotStaticFinal - Java Logging - - - SystemPrintln - Java Logging - - - AvoidPrintStackTrace - Java Logging - - - UseConcatOnce - XPath in XSL - - - AvoidAxisNavigation - XPath in XSL - - - AssignmentInOperand - Basic Ecmascript - - - UnreachableCode - Basic Ecmascript - - - InnaccurateNumericLiteral - Basic Ecmascript - - - ConsistentReturn - Basic Ecmascript - - - ScopeForInVariable - Basic Ecmascript - - - EqualComparison - Basic Ecmascript - - - GlobalVariable - Basic Ecmascript - - - AvoidTrailingComma - Basic Ecmascript - - - IfStmtsMustUseBraces - Braces - - - WhileLoopsMustUseBraces - Braces - - - IfElseStmtsMustUseBraces - Braces - - - ForLoopsMustUseBraces - Braces - - - EmptyFinalizer - Finalizer - - - FinalizeOnlyCallsSuperFinalize - Finalizer - - - FinalizeOverloaded - Finalizer - - - FinalizeDoesNotCallSuperFinalize - Finalizer - - - FinalizeShouldBeProtected - Finalizer - - - AvoidCallingFinalize - Finalizer - - - UseSingleton - Design - - - SimplifyBooleanReturns - Design - - - SimplifyBooleanExpressions - Design - - - SwitchStmtsShouldHaveDefault - Design - - - AvoidDeeplyNestedIfStmts - Design - - - AvoidReassigningParameters - Design - - - SwitchDensity - Design - - - ConstructorCallsOverridableMethod - Design - - - AccessorClassGeneration - Design - - - FinalFieldCouldBeStatic - Design - - - CloseResource - Design - - - NonStaticInitializer - Design - - - DefaultLabelNotLastInSwitchStmt - Design - - - NonCaseLabelInSwitchStatement - Design - - - OptimizableToArrayCall - Design - - - BadComparison - Design - - - EqualsNull - Design - - - ConfusingTernary - Design - - - InstantiationToGetClass - Design - - - IdempotentOperations - Design - - - SimpleDateFormatNeedsLocale - Design - - - ImmutableField - Design - - - UseLocaleWithCaseConversions - Design - - - AvoidProtectedFieldInFinalClass - Design - - - AssignmentToNonFinalStatic - Design - - - MissingStaticMethodInNonInstantiatableClass - Design - - - AvoidSynchronizedAtMethodLevel - Design - - - MissingBreakInSwitch - Design - - - UseNotifyAllInsteadOfNotify - Design - - - AvoidInstanceofChecksInCatchClause - Design - - - AbstractClassWithoutAbstractMethod - Design - - - SimplifyConditional - Design - - - CompareObjectsWithEquals - Design - - - PositionLiteralsFirstInComparisons - Design - - - UnnecessaryLocalBeforeReturn - Design - - - NonThreadSafeSingleton - Design - - - UncommentedEmptyMethod - Design - - - UncommentedEmptyConstructor - Design - - - AvoidConstantsInterface - Design - - - UnsynchronizedStaticDateFormatter - Design - - - PreserveStackTrace - Design - - - UseCollectionIsEmpty - Design - - - ClassWithOnlyPrivateConstructorsShouldBeFinal - Design - - - EmptyMethodInAbstractClassShouldBeAbstract - Design - - - SingularField - Design - - - ReturnEmptyArrayRatherThanNull - Design - - - AbstractClassWithoutAnyMethod - Design - - - TooFewBranchesForASwitchStatement - Design - - - LogicInversion - Design - - - UseVarargs - Design - - - FieldDeclarationsShouldBeAtStartOfClass - Design - - - GodClass - Design - - - NPathComplexity - Code Size - - - ExcessiveMethodLength - Code Size - - - ExcessiveParameterList - Code Size - - - ExcessiveClassLength - Code Size - - - CyclomaticComplexity - Code Size - - - ExcessivePublicCount - Code Size - - - TooManyFields - Code Size - - - NcssMethodCount - Code Size - - - NcssTypeCount - Code Size - - - NcssConstructorCount - Code Size - - - TooManyMethods - Code Size - - - BeanMembersShouldSerialize - JavaBeans - - - MissingSerialVersionUID - JavaBeans - - - false - true - true - diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/README.txt b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/README.txt deleted file mode 100644 index f4203f9ec1..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/README.txt +++ /dev/null @@ -1,10 +0,0 @@ -'rest' module contains the web layer configuration for REST API which communicates with HBase and fetches pcaps. -Spring frameworks 'org.springframework.web.servlet.DispatcherServlet' is configured to intercept all requests (/*) and the -application context is built using the configuration file 'ipcap-config.xml'. - -REST APIs : -1. http://{hostname:port}//cisco-rest/pcapGetter/getPcapsByKeys? -2. http://mon.hw.com:8090/cisco-rest-0.0.5-SNAPSHOT/pcapGetter/getPcapsByKeyRange? -3. http://mon.hw.com:8090/cisco-rest-0.0.5-SNAPSHOT/pcapGetter/getPcapsByIdentifiers? - -Refer the wiki documentation for further details : https://hwcsco.atlassian.net/wiki/pages/viewpage.action?pageId=5242892 diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/pom.xml b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/pom.xml deleted file mode 100644 index bf5f5dbd2d..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/pom.xml +++ /dev/null @@ -1,52 +0,0 @@ - - 4.0.0 - - com.cisco.opensoc - opensoc - 0.1.3-SNAPSHOT - ../../../pom.xml - - opensoc-rest-service - war - - - - - com.cisco.opensoc - opensoc-hbase - ${project.parent.version} - - - - org.springframework.integration - spring-integration-http - ${spring.integration.version} - - - org.springframework - spring-webmvc - ${spring.version} - - - - log4j - log4j - ${logger.version} - - - com.sun.jmx - jmxri - - - com.sun.jdmk - jmxtools - - - javax.jms - jms - - - - - \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/resources/log4j.properties b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/resources/log4j.properties deleted file mode 100644 index 224aed5570..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/resources/log4j.properties +++ /dev/null @@ -1,10 +0,0 @@ -# Root logger option -log4j.rootLogger=INFO,file,stdout - -# Direct log messages to a log file -log4j.appender.file=org.apache.log4j.RollingFileAppender -log4j.appender.file.File=/var/log/rest/cisco-rest.log -log4j.appender.file.MaxFileSize=1MB -log4j.appender.file.MaxBackupIndex=1 -log4j.appender.file.layout=org.apache.log4j.PatternLayout -log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/META-INF/MANIFEST.MF b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/META-INF/MANIFEST.MF deleted file mode 100644 index 5e9495128c..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/META-INF/MANIFEST.MF +++ /dev/null @@ -1,3 +0,0 @@ -Manifest-Version: 1.0 -Class-Path: - diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/ipcap-config.xml b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/ipcap-config.xml deleted file mode 100644 index c09a808236..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/ipcap-config.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/web.xml b/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/web.xml deleted file mode 100644 index e4a521f003..0000000000 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/service/src/main/webapp/WEB-INF/web.xml +++ /dev/null @@ -1,17 +0,0 @@ - - - multipart-http - - ipcap - org.springframework.web.servlet.DispatcherServlet - - contextConfigLocation - /WEB-INF/ipcap-config.xml - - 1 - - - ipcap - /* - - \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/README.txt b/opensoc-streaming/OpenSOC-Pcap_Service/README.txt similarity index 100% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/README.txt rename to opensoc-streaming/OpenSOC-Pcap_Service/README.txt diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml b/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml new file mode 100644 index 0000000000..ecbce829f6 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml @@ -0,0 +1,267 @@ + + 4.0.0 + + com.opensoc + OpenSOC-Streaming + 0.6BETA + + OpenSOC-Pcap_Service + OpenSOC Pcap_Service + + UTF-8 + 1.4.0.2.0.6.0-76 + 2.2.0.2.0.6.0-76 + 1.7 + 1.7 + 0.9.2-incubating + 0.8.0 + 1.7.5 + 3.4.5.2.0.6.0-76 + 1.2.15 + + 0.9.2-incubating + 0.0.7-SNAPSHOT + 0.0.5-SNAPSHOT + + 3.0.0.RELEASE + 3.2.6.RELEASE + 1.2.2 + 2.4 + 1.10 + 2.6 + 3.2.1 + 1.8.3 + 2.1.1 + + + 4.11 + 1.3 + 1.9.5 + 1.3.0 + + + + org.jboss.resteasy + jaxrs-api + 3.0.4.Final + + + com.opensoc + OpenSOC-Common + ${project.parent.version} + + + + commons-beanutils + commons-beanutils + ${commons-beanutils.version} + + + org.apache.commons + commons-jexl + ${commons-jexl.version} + + + + commons-configuration + commons-configuration + ${commons-configuration.version} + + + org.slf4j + slf4j-api + + + + + junit + junit + ${junit.version} + test + + + org.powermock + powermock-api-mockito + 1.5 + test + + + org.powermock + powermock-core + 1.5 + test + + + org.powermock + powermock-module-junit4 + 1.5 + test + + + joda-time + joda-time + 2.3 + + + org.apache.hbase + hbase-client + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hbase + hbase-testing-util + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hadoop + hadoop-common + ${global_hadoop_version} + provided + + + org.apache.hadoop + hadoop-hdfs + ${global_hadoop_version} + provided + + + + org.springframework.integration + spring-integration-http + ${spring.integration.version} + + + org.springframework + spring-webmvc + ${spring.version} + + + log4j + log4j + ${logger.version} + + + com.sun.jmx + jmxri + + + com.sun.jdmk + jmxtools + + + javax.jms + jms + + + + + + + + + + org.jboss.resteasy + resteasy-jaxrs + 3.0.1.Final + + + org.slf4j + slf4j-simple + + + + + org.jboss.resteasy + resteasy-jaxb-provider + 3.0.1.Final + compile + + + org.jboss.resteasy + async-http-servlet-3.0 + 3.0.1.Final + compile + + + + + + + + + + + + + + + + + org.eclipse.jetty + jetty-server + 9.3.0.M0 + + + org.eclipse.jetty + jetty-servlet + 9.3.0.M0 + + + org.slf4j + slf4j-simple + ${global_slf4j_version} + + + org.slf4j + slf4j-api + ${global_slf4j_version} + + + org.slf4j + slf4j-log4j12 + ${global_slf4j_version} + + + + + + + maven-assembly-plugin + + + + com.opensoc.pcapservice.rest.PcapService + + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + + diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml.versionsBackup b/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml.versionsBackup new file mode 100644 index 0000000000..a400fe234c --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/pom.xml.versionsBackup @@ -0,0 +1,268 @@ + + 4.0.0 + + com.opensoc + OpenSOC-Streaming + 0.4BETA + + OpenSOC-Pcap_Service + OpenSOC Pcap_Service + + UTF-8 + 1.4.0.2.0.6.0-76 + 2.2.0.2.0.6.0-76 + ${jdk.version} + ${jdk.version} + + 0.9.2-incubating + 0.8.0 + 1.7.5 + 3.4.5.2.0.6.0-76 + 1.2.15 + + 0.9.2-incubating + 0.0.7-SNAPSHOT + 0.0.5-SNAPSHOT + + 3.0.0.RELEASE + 3.2.6.RELEASE + 1.2.2 + 2.4 + 1.10 + 2.6 + 3.2.1 + 1.8.3 + 2.1.1 + + + 4.11 + 1.3 + 1.9.5 + 1.3.0 + + + + org.jboss.resteasy + jaxrs-api + 3.0.4.Final + + + com.opensoc + OpenSOC-Common + ${parent.version} + + + + commons-beanutils + commons-beanutils + ${commons-beanutils.version} + + + org.apache.commons + commons-jexl + ${commons-jexl.version} + + + + commons-configuration + commons-configuration + ${commons-configuration.version} + + + org.slf4j + slf4j-api + + + + + junit + junit + ${junit.version} + test + + + org.powermock + powermock-api-mockito + 1.5 + test + + + org.powermock + powermock-core + 1.5 + test + + + org.powermock + powermock-module-junit4 + 1.5 + test + + + joda-time + joda-time + 2.3 + + + org.apache.hbase + hbase-client + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hbase + hbase-testing-util + ${global_hbase_version} + provided + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hadoop + hadoop-common + ${global_hadoop_version} + provided + + + org.apache.hadoop + hadoop-hdfs + ${global_hadoop_version} + provided + + + + org.springframework.integration + spring-integration-http + ${spring.integration.version} + + + org.springframework + spring-webmvc + ${spring.version} + + + log4j + log4j + ${logger.version} + + + com.sun.jmx + jmxri + + + com.sun.jdmk + jmxtools + + + javax.jms + jms + + + + + + + + + + org.jboss.resteasy + resteasy-jaxrs + 3.0.1.Final + + + org.slf4j + slf4j-simple + + + + + org.jboss.resteasy + resteasy-jaxb-provider + 3.0.1.Final + compile + + + org.jboss.resteasy + async-http-servlet-3.0 + 3.0.1.Final + compile + + + + + + + + + + + + + + + + + org.eclipse.jetty + jetty-server + 9.3.0.M0 + + + org.eclipse.jetty + jetty-servlet + 9.3.0.M0 + + + org.slf4j + slf4j-simple + ${global_slf4j_version} + + + org.slf4j + slf4j-api + ${global_slf4j_version} + + + org.slf4j + slf4j-log4j12 + ${global_slf4j_version} + + + + + + + maven-assembly-plugin + + + + com.opensoc.pcapservice.rest.PcapService + + + + jar-with-dependencies + + + + + make-assembly + package + + single + + + + + + + \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java new file mode 100644 index 0000000000..e45d8491ee --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/CellTimestampComparator.java @@ -0,0 +1,23 @@ +package com.opensoc.pcapservice; + +import java.util.Comparator; + +import org.apache.hadoop.hbase.Cell; + +/** + * Comparator created for sorting pcaps cells based on the timestamp (asc). + * + * @author Sayi + */ +public class CellTimestampComparator implements Comparator { + + /* + * (non-Javadoc) + * + * @see java.util.Comparator#compare(java.lang.Object, java.lang.Object) + */ + + public int compare(Cell o1, Cell o2) { + return Long.valueOf(o1.getTimestamp()).compareTo(o2.getTimestamp()); + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java new file mode 100644 index 0000000000..be1a1bf4ab --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/ConfigurationUtil.java @@ -0,0 +1,269 @@ +package com.opensoc.pcapservice; + +import org.apache.commons.configuration.Configuration; +import org.apache.hadoop.hbase.util.Bytes; +import org.springframework.util.Assert; + +import com.opensoc.configuration.ConfigurationManager; + + + +/** + * utility class for this module which loads commons configuration to fetch + * properties from underlying resources to communicate with hbase. + * + * @author Sayi + */ +public class ConfigurationUtil { + + /** Configuration definition file name for fetching pcaps from hbase */ + private static final String configDefFileName = "config-definition-hbase.xml"; + + /** property configuration. */ + private static Configuration propConfiguration = null; + + + /** + * The Enum SizeUnit. + */ + public enum SizeUnit { + + /** The kb. */ + KB, + /** The mb. */ + MB + }; + + /** The Constant DEFAULT_HCONNECTION_RETRY_LIMIT. */ + private static final int DEFAULT_HCONNECTION_RETRY_LIMIT = 0; + + /** + * Loads configuration resources + * @return Configuration + */ + public static Configuration getConfiguration() { + if(propConfiguration == null){ + propConfiguration = ConfigurationManager.getConfiguration(configDefFileName); + } + return propConfiguration; + } + + /** + * Returns the configured default result size in bytes, if the user input is + * null; otherwise, returns the user input after validating with the + * configured max value. Throws IllegalArgumentException if : 1. input is + * less than or equals to 0 OR 2. input is greater than configured + * {hbase.scan.max.result.size} value + * + * @param input + * the input + * @return long + */ + public static long validateMaxResultSize(String input) { + if (input == null) { + return getDefaultResultSize(); + } + // validate the user input + long value = convertToBytes(Long.parseLong(input), getResultSizeUnit()); + Assert.isTrue( + isAllowableResultSize(value), + "'maxResponseSize' param value must be positive and less than {hbase.scan.max.result.size} value"); + return convertToBytes(value, getResultSizeUnit()); + } + + /** + * Checks if is allowable result size. + * + * @param input + * the input + * @return true, if is allowable result size + */ + public static boolean isAllowableResultSize(long input) { + if (input <= 0 || input > getMaxResultSize()) { + return false; + } + return true; + } + + /** + * Returns the configured default result size in bytes. + * + * @return long + */ + public static long getDefaultResultSize() { + float value = ConfigurationUtil.getConfiguration().getFloat( + "hbase.scan.default.result.size"); + return convertToBytes(value, getResultSizeUnit()); + } + + /** + * Returns the configured max result size in bytes. + * + * @return long + */ + public static long getMaxResultSize() { + float value = ConfigurationUtil.getConfiguration().getFloat( + "hbase.scan.max.result.size"); + return convertToBytes(value, getResultSizeUnit()); + } + + /** + * Returns the configured max row size in bytes. + * + * @return long + */ + public static long getMaxRowSize() { + float maxRowSize = ConfigurationUtil.getConfiguration().getFloat( + "hbase.table.max.row.size"); + return convertToBytes(maxRowSize, getRowSizeUnit()); + } + + /** + * Gets the result size unit. + * + * @return the result size unit + */ + public static SizeUnit getResultSizeUnit() { + return SizeUnit.valueOf(ConfigurationUtil.getConfiguration() + .getString("hbase.scan.result.size.unit")); + } + + /** + * Gets the row size unit. + * + * @return the row size unit + */ + public static SizeUnit getRowSizeUnit() { + return SizeUnit.valueOf(ConfigurationUtil.getConfiguration() + .getString("hbase.table.row.size.unit")); + } + + /** + * Gets the connection retry limit. + * + * @return the connection retry limit + */ + public static int getConnectionRetryLimit() { + return ConfigurationUtil.getConfiguration().getInt( + "hbase.hconnection.retries.number", + DEFAULT_HCONNECTION_RETRY_LIMIT); + } + + /** + * Checks if is default include reverse traffic. + * + * @return true, if is default include reverse traffic + */ + public static boolean isDefaultIncludeReverseTraffic() { + return ConfigurationUtil.getConfiguration().getBoolean( + "pcaps.include.reverse.traffic"); + } + + /** + * Gets the table name. + * + * @return the table name + */ + public static byte[] getTableName() { + return Bytes.toBytes(ConfigurationUtil.getConfiguration().getString( + "hbase.table.name")); + } + + /** + * Gets the column family. + * + * @return the column family + */ + public static byte[] getColumnFamily() { + return Bytes.toBytes(ConfigurationUtil.getConfiguration().getString( + "hbase.table.column.family")); + } + + /** + * Gets the column qualifier. + * + * @return the column qualifier + */ + public static byte[] getColumnQualifier() { + return Bytes.toBytes(ConfigurationUtil.getConfiguration().getString( + "hbase.table.column.qualifier")); + } + + /** + * Gets the max versions. + * + * @return the max versions + */ + public static int getMaxVersions() { + return ConfigurationUtil.getConfiguration().getInt( + "hbase.table.column.maxVersions"); + } + + /** + * Gets the configured tokens in rowkey. + * + * @return the configured tokens in rowkey + */ + public static int getConfiguredTokensInRowkey() { + return ConfigurationUtil.getConfiguration().getInt( + "hbase.table.row.key.tokens"); + } + + /** + * Gets the minimum tokens in inputkey. + * + * @return the minimum tokens in inputkey + */ + public static int getMinimumTokensInInputkey() { + return ConfigurationUtil.getConfiguration().getInt( + "rest.api.input.key.min.tokens"); + } + + /** + * Gets the appending token digits. + * + * @return the appending token digits + */ + public static int getAppendingTokenDigits() { + return ConfigurationUtil.getConfiguration().getInt( + "hbase.table.row.key.token.appending.digits"); + } + + /** + * Convert to bytes. + * + * @param value + * the value + * @param unit + * the unit + * @return the long + */ + public static long convertToBytes(float value, SizeUnit unit) { + if (SizeUnit.KB == unit) { + return (long) (value * 1024); + } + if (SizeUnit.MB == unit) { + return (long) (value * 1024 * 1024); + } + return (long) value; + } + + /** + * The main method. + * + * @param args + * the arguments + */ + public static void main(String[] args) { + long r1 = getMaxRowSize(); + System.out.println("getMaxRowSizeInBytes = " + r1); + long r2 = getMaxResultSize(); + System.out.println("getMaxAllowableResultSizeInBytes = " + r2); + + SizeUnit u1 = getRowSizeUnit(); + System.out.println("getMaxRowSizeUnit = " + u1.toString()); + SizeUnit u2 = getResultSizeUnit(); + System.out.println("getMaxAllowableResultsSizeUnit = " + u2.toString()); + } + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java new file mode 100644 index 0000000000..a7e7e3b805 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigConstants.java @@ -0,0 +1,40 @@ +package com.opensoc.pcapservice; + +/** + * HBase configuration properties. + * + * @author Sayi + */ +public class HBaseConfigConstants { + + /** The Constant HBASE_ZOOKEEPER_QUORUM. */ + public static final String HBASE_ZOOKEEPER_QUORUM = "hbase.zookeeper.quorum"; + + /** The Constant HBASE_ZOOKEEPER_CLIENT_PORT. */ + public static final String HBASE_ZOOKEEPER_CLIENT_PORT = "hbase.zookeeper.clientPort"; + + /** The Constant HBASE_ZOOKEEPER_SESSION_TIMEOUT. */ + public static final String HBASE_ZOOKEEPER_SESSION_TIMEOUT = "zookeeper.session.timeout"; + + /** The Constant HBASE_ZOOKEEPER_RECOVERY_RETRY. */ + public static final String HBASE_ZOOKEEPER_RECOVERY_RETRY = "zookeeper.recovery.retry"; + + /** The Constant HBASE_CLIENT_RETRIES_NUMBER. */ + public static final String HBASE_CLIENT_RETRIES_NUMBER = "hbase.client.retries.number"; + + /** The delimeter. */ + String delimeter = "-"; + + /** The regex. */ + String regex = "\\-"; + + /** The Constant PCAP_KEY_DELIMETER. */ + public static final String PCAP_KEY_DELIMETER = "-"; + + /** The Constant START_KEY. */ + public static final String START_KEY = "startKey"; + + /** The Constant END_KEY. */ + public static final String END_KEY = "endKey"; + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java new file mode 100644 index 0000000000..8a5c022e83 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/HBaseConfigurationUtil.java @@ -0,0 +1,165 @@ +/** + * + */ +package com.opensoc.pcapservice; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.HConnection; +import org.apache.hadoop.hbase.client.HConnectionManager; +import org.apache.log4j.Logger; +import org.mortbay.log.Log; + +/** + * Utility class which creates HConnection instance when the first request is + * received and registers a shut down hook which closes the connection when the + * JVM exits. Creates new connection to the cluster only if the existing + * connection is closed for unknown reasons. Also creates Configuration with + * HBase resources using configuration properties. + * + * @author Sayi + * + */ +public class HBaseConfigurationUtil { + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(HBaseConfigurationUtil.class); + + /** Configuration which holds all HBase properties. */ + private static Configuration config; + + /** + * A cluster connection which knows how to find master node and locate regions + * on the cluster. + */ + private static HConnection clusterConnection = null; + + /** + * Creates HConnection instance when the first request is received and returns + * the same instance for all subsequent requests if the connection is still + * open. + * + * @return HConnection instance + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static HConnection getConnection() throws IOException { + if (!connectionAvailable()) { + synchronized (HBaseConfigurationUtil.class) { + createClusterConncetion(); + } + } + return clusterConnection; + } + + /** + * Creates the cluster conncetion. + * + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private static void createClusterConncetion() throws IOException { + try { + if (connectionAvailable()) { + return; + } + clusterConnection = HConnectionManager.createConnection(read()); + addShutdownHook(); + System.out.println("Created HConnection and added shutDownHook"); + } catch (IOException e) { + LOGGER + .error( + "Exception occurred while creating HConnection using HConnectionManager", + e); + throw e; + } + } + + /** + * Connection available. + * + * @return true, if successful + */ + private static boolean connectionAvailable() { + if (clusterConnection == null) { + System.out.println("clusterConnection=" + clusterConnection); + return false; + } + System.out.println("clusterConnection.isClosed()=" + + clusterConnection.isClosed()); + return clusterConnection != null && !clusterConnection.isClosed(); + } + + /** + * Adds the shutdown hook. + */ + private static void addShutdownHook() { + Runtime.getRuntime().addShutdownHook(new Thread(new Runnable() { + public void run() { + System.out + .println("Executing ShutdownHook HBaseConfigurationUtil : Closing HConnection"); + try { + clusterConnection.close(); + } catch (IOException e) { + Log.debug("Caught ignorable exception ", e); + } + } + }, "HBaseConfigurationUtilShutDown")); + } + + /** + * Closes the underlying connection to cluster; ignores if any exception is + * thrown. + */ + public static void closeConnection() { + if (clusterConnection != null) { + try { + clusterConnection.close(); + } catch (IOException e) { + Log.debug("Caught ignorable exception ", e); + } + } + } + + /** + * This method creates Configuration with HBase resources using configuration + * properties. The same Configuration object will be used to communicate with + * all HBase tables; + * + * @return Configuration object + */ + public static Configuration read() { + if (config == null) { + synchronized (HBaseConfigurationUtil.class) { + if (config == null) { + config = HBaseConfiguration.create(); + + config.set( + HBaseConfigConstants.HBASE_ZOOKEEPER_QUORUM, + ConfigurationUtil.getConfiguration().getString( + "hbase.zookeeper.quorum")); + config.set( + HBaseConfigConstants.HBASE_ZOOKEEPER_CLIENT_PORT, + ConfigurationUtil.getConfiguration().getString( + "hbase.zookeeper.clientPort")); + config.set( + HBaseConfigConstants.HBASE_CLIENT_RETRIES_NUMBER, + ConfigurationUtil.getConfiguration().getString( + "hbase.client.retries.number")); + config.set( + HBaseConfigConstants.HBASE_ZOOKEEPER_SESSION_TIMEOUT, + ConfigurationUtil.getConfiguration().getString( + "zookeeper.session.timeout")); + config.set( + HBaseConfigConstants.HBASE_ZOOKEEPER_RECOVERY_RETRY, + ConfigurationUtil.getConfiguration().getString( + "zookeeper.recovery.retry")); + } + } + } + return config; + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapGetter.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapGetter.java new file mode 100644 index 0000000000..dbff59c330 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapGetter.java @@ -0,0 +1,88 @@ +/** + * + */ +package com.opensoc.pcapservice; + +import java.io.IOException; +import java.util.List; + +/** + * interface to all 'keys' based pcaps fetching methods. + * + * @author Sayi + */ +public interface IPcapGetter { + + /** + * Gets the pcaps for the input list of keys and lastRowKey. + * + * @param keys + * the list of keys for which pcaps are to be retrieved + * @param lastRowKey + * last row key from the previous partial response + * @param startTime + * the start time in system milliseconds to be used to filter the + * pcaps. The value is set to '0' if the caller sends negative value + * @param endTime + * the end time in system milliseconds to be used to filter the + * pcaps. The value is set to Long.MAX_VALUE if the caller sends + * negative value. 'endTime' must be greater than the 'startTime'. + * @param includeReverseTraffic + * indicates whether or not to include pcaps from the reverse traffic + * @param includeDuplicateLastRow + * indicates whether or not to include the last row from the previous + * partial response + * @param maxResultSize + * the max result size + * @return PcapsResponse with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public PcapsResponse getPcaps(List keys, String lastRowKey, + long startTime, long endTime, boolean includeReverseTraffic, + boolean includeDuplicateLastRow, long maxResultSize) throws IOException; + + /** + * Gets the pcaps for the input key. + * + * @param key + * the key for which pcaps is to be retrieved. + * @param startTime + * the start time in system milliseconds to be used to filter the + * pcaps. The value is set to '0' if the caller sends negative value + * @param endTime + * the end time in system milliseconds to be used to filter the + * pcaps.The value is set to Long.MAX_VALUE if the caller sends + * negative value. 'endTime' must be greater than the 'startTime'. + * @param includeReverseTraffic + * indicates whether or not to include pcaps from the reverse traffic + * @return PcapsResponse with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public PcapsResponse getPcaps(String key, long startTime, long endTime, + boolean includeReverseTraffic) throws IOException; + + /** + * Gets the pcaps for the input list of keys. + * + * @param keys + * the list of keys for which pcaps are to be retrieved. + * @return PcapsResponse with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public PcapsResponse getPcaps(List keys) throws IOException; + + /** + * Gets the pcaps for the input key. + * + * @param key + * the key for which pcaps is to be retrieved. + * @return PcapsResponse with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public PcapsResponse getPcaps(String key) throws IOException; + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapScanner.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapScanner.java new file mode 100644 index 0000000000..64408e9e9d --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/IPcapScanner.java @@ -0,0 +1,49 @@ +package com.opensoc.pcapservice; + +import java.io.IOException; + +/** + * The Interface for all pcaps fetching methods based on key range. + */ +public interface IPcapScanner { + + /** + * Gets the pcaps for between startKey (inclusive) and endKey (exclusive). + * + * @param startKey + * the start key of a key range for which pcaps is to be retrieved. + * @param endKey + * the end key of a key range for which pcaps is to be retrieved. + * @param maxResponseSize + * indicates the maximum response size in MegaBytes(MB). User needs + * to pass positive value and must be less than 60 (MB) + * @param startTime + * the start time in system milliseconds to be used to filter the + * pcaps. The value is set to '0' if the caller sends negative value + * @param endTime + * the end time in system milliseconds to be used to filter the + * pcaps. The value is set Long.MAX_VALUE if the caller sends + * negative value + * @return byte array with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public byte[] getPcaps(String startKey, String endKey, long maxResponseSize, + long startTime, long endTime) throws IOException; + + /** + * Gets the pcaps for between startKey (inclusive) and endKey (exclusive). + * + * @param startKey + * the start key (inclusive) of a key range for which pcaps is to be + * retrieved. + * @param endKey + * the end key (exclusive) of a key range for which pcaps is to be + * retrieved. + * @return byte array with all matching pcaps merged together + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public byte[] getPcaps(String startKey, String endKey) throws IOException; + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java new file mode 100644 index 0000000000..b06137dc9b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapGetterHBaseImpl.java @@ -0,0 +1,809 @@ +package com.opensoc.pcapservice; + +import java.io.File; +import java.io.IOException; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import javax.annotation.Resource; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.Response; + +import org.apache.commons.io.FileUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellUtil; +import org.apache.hadoop.hbase.MasterNotRunningException; +import org.apache.hadoop.hbase.ZooKeeperConnectionException; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.NoServerForRegionException; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.log4j.Logger; +import org.springframework.util.Assert; +import org.springframework.util.CollectionUtils; + +import com.google.common.annotations.VisibleForTesting; + +/** + * Singleton class which integrates with HBase table and returns pcaps sorted by + * timestamp(dsc) for the given list of keys. Creates HConnection if it is not + * already created and the same connection instance is being used for all + * requests + * + * @author sheetal + * @version $Revision: 1.0 $ + */ + +@Path("/") +public class PcapGetterHBaseImpl implements IPcapGetter { + + /** The pcap getter h base. */ + private static IPcapGetter pcapGetterHBase = null; + + /** The Constant LOG. */ + private static final Logger LOGGER = Logger + .getLogger(PcapGetterHBaseImpl.class); + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.util.List, + * java.lang.String, long, long, boolean, boolean, long) + */ + + + @GET + @Path("pcap/test") + @Produces("text/html") + public Response index() throws URISyntaxException { + return Response.ok("ALL GOOD").build(); + } + + + public PcapsResponse getPcaps(List keys, String lastRowKey, + long startTime, long endTime, boolean includeReverseTraffic, + boolean includeDuplicateLastRow, long maxResultSize) throws IOException { + Assert + .isTrue( + checkIfValidInput(keys, lastRowKey), + "No valid input. One of the value must be present from {keys, lastRowKey}"); + LOGGER.info(" keys=" + keys.toString() + "; lastRowKey=" + + lastRowKey); + + PcapsResponse pcapsResponse = new PcapsResponse(); + // 1. Process partial response key + if (StringUtils.isNotEmpty(lastRowKey)) { + pcapsResponse = processKey(pcapsResponse, lastRowKey, startTime, + endTime, true, includeDuplicateLastRow, maxResultSize); + // LOGGER.debug("after scanning lastRowKey=" + + // pcapsResponse.toString()+"*********************************************************************"); + if (pcapsResponse.getStatus() == PcapsResponse.Status.PARTIAL) { + return pcapsResponse; + } + } + // 2. Process input keys + List sortedKeys = sortKeysByAscOrder(keys, includeReverseTraffic); + List unprocessedKeys = new ArrayList(); + unprocessedKeys.addAll(sortedKeys); + if (StringUtils.isNotEmpty(lastRowKey)) { + unprocessedKeys.clear(); + unprocessedKeys = getUnprocessedSublistOfKeys(sortedKeys, + lastRowKey); + } + LOGGER.info("unprocessedKeys in getPcaps" + unprocessedKeys.toString()); + if (!CollectionUtils.isEmpty(unprocessedKeys)) { + for (int i = 0; i < unprocessedKeys.size(); i++) { + pcapsResponse = processKey(pcapsResponse, unprocessedKeys.get(i), + startTime, endTime, false, includeDuplicateLastRow, maxResultSize); + // LOGGER.debug("after scanning input unprocessedKeys.get(" + i + ") =" + // + + // pcapsResponse.toString()+"*********************************************************************"); + if (pcapsResponse.getStatus() == PcapsResponse.Status.PARTIAL) { + return pcapsResponse; + } + } + } + return pcapsResponse; + } + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.lang.String, long, + * long, boolean) + */ + + public PcapsResponse getPcaps(String key, long startTime, long endTime, + boolean includeReverseTraffic) throws IOException { + Assert.hasText(key, "key must not be null or empty"); + return getPcaps(Arrays.asList(key), null, startTime, endTime, + includeReverseTraffic, false, ConfigurationUtil.getDefaultResultSize()); + } + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.util.List) + */ + + public PcapsResponse getPcaps(List keys) throws IOException { + Assert.notEmpty(keys, "'keys' must not be null or empty"); + return getPcaps(keys, null, -1, -1, + ConfigurationUtil.isDefaultIncludeReverseTraffic(), false, + ConfigurationUtil.getDefaultResultSize()); + } + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapGetter#getPcaps(java.lang.String) + */ + + public PcapsResponse getPcaps(String key) throws IOException { + Assert.hasText(key, "key must not be null or empty"); + return getPcaps(Arrays.asList(key), null, -1, -1, + ConfigurationUtil.isDefaultIncludeReverseTraffic(), false, + ConfigurationUtil.getDefaultResultSize()); + } + + /** + * Always returns the singleton instance. + * + * @return IPcapGetter singleton instance + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static IPcapGetter getInstance() throws IOException { + if (pcapGetterHBase == null) { + synchronized (PcapGetterHBaseImpl.class) { + if (pcapGetterHBase == null) { + pcapGetterHBase = new PcapGetterHBaseImpl(); + } + } + } + return pcapGetterHBase; + } + + /** + * Instantiates a new pcap getter h base impl. + */ + private PcapGetterHBaseImpl() { + } + + /** + * Adds reverse keys to the list if the flag 'includeReverseTraffic' is set to + * true; removes duplicates and sorts the list by ascending order;. + * + * @param keys + * input keys + * @param includeReverseTraffic + * flag whether or not to include reverse traffic + * @return List + */ + @VisibleForTesting + List sortKeysByAscOrder(List keys, + boolean includeReverseTraffic) { + Assert.notEmpty(keys, "'keys' must not be null"); + if (includeReverseTraffic) { + keys.addAll(PcapHelper.reverseKey(keys)); + } + List deDupKeys = removeDuplicateKeys(keys); + Collections.sort(deDupKeys); + return deDupKeys; + } + + /** + * Removes the duplicate keys. + * + * @param keys + * the keys + * @return the list + */ + @VisibleForTesting +public + List removeDuplicateKeys(List keys) { + Set set = new HashSet(keys); + return new ArrayList(set); + } + + /** + *

    + * Returns the sublist starting from the element after the lastRowKey + * to the last element in the list; if the 'lastRowKey' is not matched + * the complete list will be returned. + *

    + * + * 
    +   * Eg :
+   *  keys = [18800006-1800000b-06-0019-caac, 18800006-1800000b-06-0050-5af6, 18800006-1800000b-11-0035-3810]
+   *  lastRowKey = "18800006-1800000b-06-0019-caac-65140-40815"
+   *  and the response from this method [18800006-1800000b-06-0050-5af6, 18800006-1800000b-11-0035-3810]
+   *
    + * + * @param keys + * keys + * @param lastRowKey + * last row key of the previous partial response + * @return List + */ + @VisibleForTesting + List getUnprocessedSublistOfKeys(List keys, + String lastRowKey) { + Assert.notEmpty(keys, "'keys' must not be null"); + Assert.hasText(lastRowKey, "'lastRowKey' must not be null"); + String partialKey = getTokens(lastRowKey, 5); + int startIndex = 0; + for (int i = 0; i < keys.size(); i++) { + if (partialKey.equals(keys.get(i))) { + startIndex = i + 1; + break; + } + } + List unprocessedKeys = keys.subList(startIndex, keys.size()); + return unprocessedKeys; + } + + /** + * Returns the first 'noOfTokens' tokens from the given key; token delimiter + * "-";. + * + * @param key + * given key + * @param noOfTokens + * number of tokens to retrieve + * @return the tokens + */ + @VisibleForTesting + String getTokens(String key, int noOfTokens) { + String delimeter = HBaseConfigConstants.PCAP_KEY_DELIMETER; + String regex = "\\" + delimeter; + String[] keyTokens = key.split(regex); + Assert.isTrue(noOfTokens < keyTokens.length, + "Invalid value for 'noOfTokens'"); + StringBuffer sbf = new StringBuffer(); + for (int i = 0; i < noOfTokens; i++) { + sbf.append(keyTokens[i]); + if (i != (noOfTokens - 1)) { + sbf.append(HBaseConfigConstants.PCAP_KEY_DELIMETER); + } + + } + return sbf.toString(); + } + + /** + * Process key. + * + * @param pcapsResponse + * the pcaps response + * @param key + * the key + * @param startTime + * the start time + * @param endTime + * the end time + * @param isPartialResponse + * the is partial response + * @param includeDuplicateLastRow + * the include duplicate last row + * @param maxResultSize + * the max result size + * @return the pcaps response + * @throws IOException + * Signals that an I/O exception has occurred. + */ + @VisibleForTesting + PcapsResponse processKey(PcapsResponse pcapsResponse, String key, + long startTime, long endTime, boolean isPartialResponse, + boolean includeDuplicateLastRow, long maxResultSize) throws IOException { + HTable table = null; + Scan scan = null; + List scannedCells = null; + try { + // 1. Create start and stop row for the key; + Map keysMap = createStartAndStopRowKeys(key, + isPartialResponse, includeDuplicateLastRow); + + // 2. if the input key contains all fragments (7) and it is not part + // of previous partial response (isPartialResponse), + // 'keysMap' will be null; do a Get; currently not doing any + // response size related checks for Get; + // by default all cells from a specific row are sorted by timestamp + if (keysMap == null) { + Get get = createGetRequest(key, startTime, endTime); + List cells = executeGetRequest(table, get); + for (Cell cell : cells) { + pcapsResponse.addPcaps(CellUtil.cloneValue(cell)); + } + return pcapsResponse; + } + // 3. Create and execute Scan request + scan = createScanRequest(pcapsResponse, keysMap, startTime, endTime, + maxResultSize); + scannedCells = executeScanRequest(table, scan); + LOGGER.info("scannedCells size :" + scannedCells.size()); + addToResponse(pcapsResponse, scannedCells, maxResultSize); + + } catch (IOException e) { + LOGGER.error("Exception occurred while fetching Pcaps for the keys :" + + key, e); + if (e instanceof ZooKeeperConnectionException + || e instanceof MasterNotRunningException + || e instanceof NoServerForRegionException) { + int maxRetryLimit = ConfigurationUtil.getConnectionRetryLimit(); + System.out.println("maxRetryLimit =" + maxRetryLimit); + for (int attempt = 1; attempt <= maxRetryLimit; attempt++) { + System.out.println("attempting =" + attempt); + try { + HBaseConfigurationUtil.closeConnection(); // closing the + // existing + // connection + // and retry, + // it will + // create a new + // HConnection + scannedCells = executeScanRequest(table, scan); + addToResponse(pcapsResponse, scannedCells, maxResultSize); + break; + } catch (IOException ie) { + if (attempt == maxRetryLimit) { + LOGGER.error("Throwing the exception after retrying " + + maxRetryLimit + " times."); + throw e; + } + } + } + } + + } finally { + if (table != null) { + table.close(); + } + } + return pcapsResponse; + } + + /** + * Adds the to response. + * + * @param pcapsResponse + * the pcaps response + * @param scannedCells + * the scanned cells + * @param maxResultSize + * the max result size + */ + private void addToResponse(PcapsResponse pcapsResponse, + List scannedCells, long maxResultSize) { + String lastKeyFromCurrentScan = null; + if (scannedCells != null && scannedCells.size() > 0) { + lastKeyFromCurrentScan = new String(CellUtil.cloneRow(scannedCells + .get(scannedCells.size() - 1))); + } + // 4. calculate the response size + Collections.sort(scannedCells, PcapHelper.getCellTimestampComparator()); + for (Cell sortedCell : scannedCells) { + pcapsResponse.addPcaps(CellUtil.cloneValue(sortedCell)); + } + if (!pcapsResponse.isResonseSizeWithinLimit(maxResultSize)) { + pcapsResponse.setStatus(PcapsResponse.Status.PARTIAL); // response size + // reached + pcapsResponse.setLastRowKey(new String(lastKeyFromCurrentScan)); + } + } + + /** + * Builds start and stop row keys according to the following logic : 1. + * Creates tokens out of 'key' using pcap_id delimiter ('-') 2. if the input + * 'key' contains (assume : configuredTokensInRowKey=7 and + * minimumTokensIninputKey=5): a). 5 tokens + * ("srcIp-dstIp-protocol-srcPort-dstPort") startKey = + * "srcIp-dstIp-protocol-srcPort-dstPort-00000-00000" stopKey = + * "srcIp-dstIp-protocol-srcPort-dstPort-99999-99999" b). 6 tokens + * ("srcIp-dstIp-protocol-srcPort-dstPort-id1") startKey = + * "srcIp-dstIp-protocol-srcPort-dstPort-id1-00000" stopKey = + * "srcIp-dstIp-protocol-srcPort-dstPort-id1-99999" + * + * c). 7 tokens ("srcIp-dstIp-protocol-srcPort-dstPort-id1-id2") 1>. if the + * key is NOT part of the partial response from previous request, return + * 'null' 2>. if the key is part of partial response from previous request + * startKey = "srcIp-dstIp-protocol-srcPort-dstPort-id1-(id2+1)"; 1 is added + * to exclude this key as it was included in the previous request stopKey = + * "srcIp-dstIp-protocol-srcPort-dstPort-99999-99999" + * + * @param key + * the key + * @param isLastRowKey + * if the key is part of partial response + * @param includeDuplicateLastRow + * the include duplicate last row + * @return Map + */ + @VisibleForTesting + Map createStartAndStopRowKeys(String key, + boolean isLastRowKey, boolean includeDuplicateLastRow) { + String delimeter = HBaseConfigConstants.PCAP_KEY_DELIMETER; + String regex = "\\" + delimeter; + String[] keyTokens = key.split(regex); + + String startKey = null; + String endKey = null; + Map map = new HashMap(); + + int configuredTokensInRowKey = ConfigurationUtil + .getConfiguredTokensInRowkey(); + int minimumTokensIninputKey = ConfigurationUtil + .getMinimumTokensInInputkey(); + Assert + .isTrue( + minimumTokensIninputKey <= configuredTokensInRowKey, + "tokens in the input key (separated by '-'), must be less than or equal to the tokens used in hbase table row key "); + // in case if the input key contains 'configuredTokensInRowKey' tokens and + // it is NOT a + // partial response key, do a Get instead of Scan + if (keyTokens.length == configuredTokensInRowKey) { + if (!isLastRowKey) { + return null; + } + // it is a partial response key; 'startKey' is same as input partial + // response key; 'endKey' can be built by replacing + // (configuredTokensInRowKey - minimumTokensIninputKey) tokens + // of input partial response key with '99999' + if (keyTokens.length == minimumTokensIninputKey) { + return null; + } + int appendingTokenSlots = configuredTokensInRowKey + - minimumTokensIninputKey; + if (appendingTokenSlots > 0) { + String partialKey = getTokens(key, minimumTokensIninputKey); + StringBuffer sbfStartNew = new StringBuffer(partialKey); + StringBuffer sbfEndNew = new StringBuffer(partialKey); + for (int i = 0; i < appendingTokenSlots; i++) { + if (i == (appendingTokenSlots - 1)) { + if (!includeDuplicateLastRow) { + sbfStartNew + .append(HBaseConfigConstants.PCAP_KEY_DELIMETER) + .append( + Integer.valueOf(keyTokens[minimumTokensIninputKey + i]) + 1); + } else { + sbfStartNew.append(HBaseConfigConstants.PCAP_KEY_DELIMETER) + .append(keyTokens[minimumTokensIninputKey + i]); + } + } else { + sbfStartNew.append(HBaseConfigConstants.PCAP_KEY_DELIMETER).append( + keyTokens[minimumTokensIninputKey + i]); + } + sbfEndNew.append(HBaseConfigConstants.PCAP_KEY_DELIMETER).append( + getMaxLimitForAppendingTokens()); + } + startKey = sbfStartNew.toString(); + endKey = sbfEndNew.toString(); + } + } else { + StringBuffer sbfStart = new StringBuffer(key); + StringBuffer sbfEnd = new StringBuffer(key); + for (int i = keyTokens.length; i < configuredTokensInRowKey; i++) { + sbfStart.append(HBaseConfigConstants.PCAP_KEY_DELIMETER).append( + getMinLimitForAppendingTokens()); + sbfEnd.append(HBaseConfigConstants.PCAP_KEY_DELIMETER).append( + getMaxLimitForAppendingTokens()); + } + startKey = sbfStart.toString(); + endKey = sbfEnd.toString(); + } + map.put(HBaseConfigConstants.START_KEY, startKey); + map.put(HBaseConfigConstants.END_KEY, endKey); + + return map; + } + + /** + * Returns false if keys is empty or null AND lastRowKey is null or + * empty; otherwise returns true;. + * + * @param keys + * input row keys + * @param lastRowKey + * partial response key + * @return boolean + */ + @VisibleForTesting + boolean checkIfValidInput(List keys, String lastRowKey) { + if (CollectionUtils.isEmpty(keys) + && StringUtils.isEmpty(lastRowKey)) { + return false; + } + return true; + } + + /** + * Executes the given Get request. + * + * @param table + * hbase table + * @param get + * Get + * @return List + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private List executeGetRequest(HTable table, Get get) + throws IOException { + LOGGER.info("Get :" + get.toString()); + table = (HTable) HBaseConfigurationUtil.getConnection().getTable( + ConfigurationUtil.getTableName()); + Result result = table.get(get); + List cells = result.getColumnCells( + ConfigurationUtil.getColumnFamily(), + ConfigurationUtil.getColumnQualifier()); + return cells; + } + + /** + * Execute scan request. + * + * @param table + * hbase table + * @param scan + * the scan + * @return the list + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private List executeScanRequest(HTable table, Scan scan) + throws IOException { + LOGGER.info("Scan :" + scan.toString()); + table = (HTable) HBaseConfigurationUtil.getConnection().getTable( + ConfigurationUtil.getConfiguration().getString("hbase.table.name")); + ResultScanner resultScanner = table.getScanner(scan); + List scannedCells = new ArrayList(); + for (Result result = resultScanner.next(); result != null; result = resultScanner + .next()) { + List cells = result.getColumnCells( + ConfigurationUtil.getColumnFamily(), + ConfigurationUtil.getColumnQualifier()); + if (cells != null) { + for (Cell cell : cells) { + scannedCells.add(cell); + } + } + } + return scannedCells; + } + + /** + * Creates the get request. + * + * @param key + * the key + * @param startTime + * the start time + * @param endTime + * the end time + * @return the gets the + * @throws IOException + * Signals that an I/O exception has occurred. + */ + @VisibleForTesting + Get createGetRequest(String key, long startTime, long endTime) + throws IOException { + Get get = new Get(Bytes.toBytes(key)); + // set family name + get.addFamily(ConfigurationUtil.getColumnFamily()); + + // set column family, qualifier + get.addColumn(ConfigurationUtil.getColumnFamily(), + ConfigurationUtil.getColumnQualifier()); + + // set max versions + get.setMaxVersions(ConfigurationUtil.getMaxVersions()); + + // set time range + setTimeRangeOnGet(get, startTime, endTime); + return get; + } + + /** + * Creates the scan request. + * + * @param pcapsResponse + * the pcaps response + * @param keysMap + * the keys map + * @param startTime + * the start time + * @param endTime + * the end time + * @param maxResultSize + * the max result size + * @return the scan + * @throws IOException + * Signals that an I/O exception has occurred. + */ + @VisibleForTesting + Scan createScanRequest(PcapsResponse pcapsResponse, + Map keysMap, long startTime, long endTime, + long maxResultSize) throws IOException { + Scan scan = new Scan(); + // set column family, qualifier + scan.addColumn(ConfigurationUtil.getColumnFamily(), + ConfigurationUtil.getColumnQualifier()); + + // set start and stop keys + scan.setStartRow(keysMap.get(HBaseConfigConstants.START_KEY).getBytes()); + scan.setStopRow(keysMap.get(HBaseConfigConstants.END_KEY).getBytes()); + + // set max results size : remaining size = max results size - ( current + // pcaps response size + possible maximum row size) + long remainingSize = maxResultSize + - (pcapsResponse.getResponseSize() + ConfigurationUtil.getMaxRowSize()); + + if (remainingSize > 0) { + scan.setMaxResultSize(remainingSize); + } + // set max versions + scan.setMaxVersions(ConfigurationUtil.getConfiguration().getInt( + "hbase.table.column.maxVersions")); + + // set time range + setTimeRangeOnScan(scan, startTime, endTime); + return scan; + } + + /** + * Sets the time range on scan. + * + * @param scan + * the scan + * @param startTime + * the start time + * @param endTime + * the end time + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private void setTimeRangeOnScan(Scan scan, long startTime, long endTime) + throws IOException { + boolean setTimeRange = true; + if (startTime < 0 && endTime < 0) { + setTimeRange = false; + } + if (setTimeRange) { + if (startTime < 0) { + startTime = 0; + } else { + startTime = PcapHelper.convertToDataCreationTimeUnit(startTime); + } + if (endTime < 0) { + endTime = Long.MAX_VALUE; + } else { + endTime = PcapHelper.convertToDataCreationTimeUnit(endTime); + } + Assert.isTrue(startTime < endTime, + "startTime value must be less than endTime value"); + scan.setTimeRange(startTime, endTime); + } + } + + /** + * Sets the time range on get. + * + * @param get + * the get + * @param startTime + * the start time + * @param endTime + * the end time + * @throws IOException + * Signals that an I/O exception has occurred. + */ + private void setTimeRangeOnGet(Get get, long startTime, long endTime) + throws IOException { + boolean setTimeRange = true; + if (startTime < 0 && endTime < 0) { + setTimeRange = false; + } + if (setTimeRange) { + if (startTime < 0) { + startTime = 0; + } else { + startTime = PcapHelper.convertToDataCreationTimeUnit(startTime); + } + if (endTime < 0) { + endTime = Long.MAX_VALUE; + } else { + endTime = PcapHelper.convertToDataCreationTimeUnit(endTime); + } + Assert.isTrue(startTime < endTime, + "startTime value must be less than endTime value"); + get.setTimeRange(startTime, endTime); + } + } + + /** + * Gets the min limit for appending tokens. + * + * @return the min limit for appending tokens + */ + private String getMinLimitForAppendingTokens() { + int digits = ConfigurationUtil.getAppendingTokenDigits(); + StringBuffer sbf = new StringBuffer(); + for (int i = 0; i < digits; i++) { + sbf.append("0"); + } + return sbf.toString(); + } + + /** + * Gets the max limit for appending tokens. + * + * @return the max limit for appending tokens + */ + private String getMaxLimitForAppendingTokens() { + int digits = ConfigurationUtil.getAppendingTokenDigits(); + StringBuffer sbf = new StringBuffer(); + for (int i = 0; i < digits; i++) { + sbf.append("9"); + } + return sbf.toString(); + } + + /** + * The main method. + * + * @param args + * the arguments + * + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static void main(String[] args) throws IOException { + if (args == null || args.length < 2) { + usage(); + return; + } + String outputFileName = null; + outputFileName = args[1]; + List keys = Arrays.asList(StringUtils.split(args[2], ",")); + System.out.println("Geting keys " + keys); + long startTime = 0; + long endTime = Long.MAX_VALUE; + if (args.length > 3) { + startTime = Long.valueOf(args[3]); + } + if (args.length > 4) { + endTime = Long.valueOf(args[4]); + } + System.out.println("With start time " + startTime + " and end time " + + endTime); + PcapGetterHBaseImpl downloader = new PcapGetterHBaseImpl(); + PcapsResponse pcaps = downloader.getPcaps(keys, null, startTime, endTime, + false, false, 6); + File file = new File(outputFileName); + FileUtils.write(file, "", false); + FileUtils.writeByteArrayToFile(file, pcaps.getPcaps(), true); + } + + /** + * Usage. + */ + private static void usage() { + System.out.println("java " + PcapGetterHBaseImpl.class.getName() // $codepro.audit.disable + // debuggingCode + + " [stop key]"); + } + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapHelper.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapHelper.java new file mode 100644 index 0000000000..522494517f --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapHelper.java @@ -0,0 +1,205 @@ +package com.opensoc.pcapservice; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; +import org.mortbay.log.Log; +import org.springframework.util.Assert; + +import com.google.common.annotations.VisibleForTesting; + +/** + * utility class which holds methods related to time conversions, building + * reverse keys. + */ +public class PcapHelper { + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger.getLogger(PcapHelper.class); + + /** The cell timestamp comparator. */ + private static CellTimestampComparator CELL_TIMESTAMP_COMPARATOR = new CellTimestampComparator(); + + /** + * The Enum TimeUnit. + */ + public enum TimeUnit { + + /** The seconds. */ + SECONDS, + /** The millis. */ + MILLIS, + /** The micros. */ + MICROS, + /** The unknown. */ + UNKNOWN + }; + + /** + * Converts the given time to the 'hbase' data creation time unit. + * + * @param inputTime + * the input time + * @return the long + */ + public static long convertToDataCreationTimeUnit(long inputTime) { + if (inputTime <= 9999999999L) { + return convertSecondsToDataCreationTimeUnit(inputTime); // input time unit + // is in seconds + } else if (inputTime <= 9999999999999L) { + return convertMillisToDataCreationTimeUnit(inputTime); // input time unit + // is in millis + } else if (inputTime <= 9999999999999999L) { + return convertMicrosToDataCreationTimeUnit(inputTime); // input time unit + // it in micros + } + return inputTime; // input time unit is unknown + } + + /** + * Returns the 'hbase' data creation time unit by reading + * 'hbase.table.data.time.unit' property in 'hbase-config' properties file; If + * none is mentioned in properties file, returns TimeUnit.UNKNOWN + * + * @return TimeUnit + */ + @VisibleForTesting + public static TimeUnit getDataCreationTimeUnit() { + String timeUnit = ConfigurationUtil.getConfiguration().getString( + "hbase.table.data.time.unit"); + LOGGER.debug("hbase.table.data.time.unit=" + timeUnit.toString()); + if (StringUtils.isNotEmpty(timeUnit)) { + return TimeUnit.valueOf(timeUnit); + } + return TimeUnit.UNKNOWN; + } + + /** + * Convert seconds to data creation time unit. + * + * @param inputTime + * the input time + * @return the long + */ + @VisibleForTesting + public static long convertSecondsToDataCreationTimeUnit(long inputTime) { + System.out.println("convert Seconds To DataCreation TimeUnit"); + TimeUnit dataCreationTimeUnit = getDataCreationTimeUnit(); + if (TimeUnit.SECONDS == dataCreationTimeUnit) { + return inputTime; + } else if (TimeUnit.MILLIS == dataCreationTimeUnit) { + return inputTime * 1000; + } else if (TimeUnit.MICROS == dataCreationTimeUnit) { + return inputTime * 1000 * 1000; + } + return inputTime; + } + + /** + * Builds the reverseKey to fetch the pcaps in the reverse traffic + * (destination to source). + * + * @param key + * indicates hbase rowKey (partial or full) in the format + * "srcAddr-dstAddr-protocol-srcPort-dstPort-fragment" + * @return String indicates the key in the format + * "dstAddr-srcAddr-protocol-dstPort-srcPort" + */ + public static String reverseKey(String key) { + Assert.hasText(key, "key must not be null or empty"); + String delimeter = HBaseConfigConstants.PCAP_KEY_DELIMETER; + String regex = "\\" + delimeter; + StringBuffer sb = new StringBuffer(); + try { + String[] tokens = key.split(regex); + Assert + .isTrue( + (tokens.length == 5 || tokens.length == 6 || tokens.length == 7), + "key is not in the format : 'srcAddr-dstAddr-protocol-srcPort-dstPort-{ipId-fragment identifier}'"); + sb.append(tokens[1]).append(delimeter).append(tokens[0]) + .append(delimeter).append(tokens[2]).append(delimeter) + .append(tokens[4]).append(delimeter).append(tokens[3]); + } catch (Exception e) { + Log.warn("Failed to reverse the key. Reverse scan won't be performed.", e); + } + return sb.toString(); + } + + /** + * Builds the reverseKeys to fetch the pcaps in the reverse traffic + * (destination to source). If all keys in the input are not in the expected + * format, it returns an empty list; + * + * @param keys + * indicates list of hbase rowKeys (partial or full) in the format + * "srcAddr-dstAddr-protocol-srcPort-dstPort-fragment" + * @return List indicates the list of keys in the format + * "dstAddr-srcAddr-protocol-dstPort-srcPort" + */ + public static List reverseKey(List keys) { + Assert.notEmpty(keys, "'keys' must not be null or empty"); + List reverseKeys = new ArrayList(); + for (String key : keys) { + if (key != null) { + String reverseKey = reverseKey(key); + if (StringUtils.isNotEmpty(reverseKey)) { + reverseKeys.add(reverseKey); + } + } + } + return reverseKeys; + } + + /** + * Returns Comparator for sorting pcaps cells based on the timestamp (dsc). + * + * @return CellTimestampComparator + */ + public static CellTimestampComparator getCellTimestampComparator() { + return CELL_TIMESTAMP_COMPARATOR; + } + + /** + * Convert millis to data creation time unit. + * + * @param inputTime + * the input time + * @return the long + */ + @VisibleForTesting + private static long convertMillisToDataCreationTimeUnit(long inputTime) { + System.out.println("convert Millis To DataCreation TimeUnit"); + TimeUnit dataCreationTimeUnit = getDataCreationTimeUnit(); + if (TimeUnit.SECONDS == dataCreationTimeUnit) { + return (inputTime / 1000); + } else if (TimeUnit.MILLIS == dataCreationTimeUnit) { + return inputTime; + } else if (TimeUnit.MICROS == dataCreationTimeUnit) { + return inputTime * 1000; + } + return inputTime; + } + + /** + * Convert micros to data creation time unit. + * + * @param inputTime + * the input time + * @return the long + */ + @VisibleForTesting + private static long convertMicrosToDataCreationTimeUnit(long inputTime) { + System.out.println("convert Micros To DataCreation TimeUnit"); + TimeUnit dataCreationTimeUnit = getDataCreationTimeUnit(); + if (TimeUnit.SECONDS == dataCreationTimeUnit) { + return inputTime / (1000 * 1000); + } else if (TimeUnit.MILLIS == dataCreationTimeUnit) { + return inputTime / 1000; + } else if (TimeUnit.MICROS == dataCreationTimeUnit) { + return inputTime; + } + return inputTime; + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java new file mode 100644 index 0000000000..98e855e6f8 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapReceiverImplRestEasy.java @@ -0,0 +1,250 @@ +package com.opensoc.pcapservice; + +import java.io.IOException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; + +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; + +import com.google.common.annotations.VisibleForTesting; +import com.opensoc.pcap.PcapUtils; + +@Path("/") +public class PcapReceiverImplRestEasy { + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(PcapReceiverImplRestEasy.class); + + /** The Constant HEADER_CONTENT_DISPOSITION_NAME. */ + private static final String HEADER_CONTENT_DISPOSITION_NAME = "Content-Disposition"; + + /** The Constant HEADER_CONTENT_DISPOSITION_VALUE. */ + private static final String HEADER_CONTENT_DISPOSITION_VALUE = "attachment; filename=\"managed-threat.pcap\""; + + /** partial response key header name. */ + private static final String HEADER_PARTIAL_RESPONE_KEY = "lastRowKey"; + + @GET + @Path("pcapGetter/getPcapsByKeys") + public Response getPcapsByKeys( + @QueryParam("keys") List keys, + @QueryParam("lastRowKey") String lastRowKey, + @DefaultValue("-1") @QueryParam("startTime") long startTime, + @DefaultValue("-1") @QueryParam("endTime") long endTime, + @QueryParam("includeDuplicateLastRow") boolean includeDuplicateLastRow, + @QueryParam("includeReverseTraffic") boolean includeReverseTraffic, + @QueryParam("maxResponseSize") String maxResponseSize, + @Context HttpServletResponse response) throws IOException { + PcapsResponse pcapResponse = null; + + if (keys == null || keys.size() == 0) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'keys' must not be null or empty").build(); + + try { + IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); + pcapResponse = pcapGetter.getPcaps(parseKeys(keys), lastRowKey, + startTime, endTime, includeReverseTraffic, + includeDuplicateLastRow, + ConfigurationUtil.validateMaxResultSize(maxResponseSize)); + LOGGER.info("pcaps response in REST layer =" + + pcapResponse.toString()); + + // return http status '204 No Content' if the pcaps response size is + // 0 + if (pcapResponse == null || pcapResponse.getResponseSize() == 0) { + + return Response.status(Response.Status.NO_CONTENT).build(); + } + + // return http status '206 Partial Content', the partial response + // file and + // 'lastRowKey' header , if the pcaps response status is 'PARTIAL' + + response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + if (pcapResponse.getStatus() == PcapsResponse.Status.PARTIAL) { + + response.setHeader(HEADER_PARTIAL_RESPONE_KEY, + pcapResponse.getLastRowKey()); + + return Response + .ok(pcapResponse.getPcaps(), + MediaType.APPLICATION_OCTET_STREAM).status(206) + .build(); + + } + + } catch (IOException e) { + LOGGER.error( + "Exception occurred while fetching Pcaps for the keys :" + + keys.toString(), e); + throw e; + } + + // return http status '200 OK' along with the complete pcaps response + // file, + // and headers + // return new ResponseEntity(pcapResponse.getPcaps(), headers, + // HttpStatus.OK); + + return Response + .ok(pcapResponse.getPcaps(), MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + + } + + + @GET + @Path("/pcapGetter/getPcapsByKeyRange") + + public Response getPcapsByKeyRange( + @QueryParam("startKey") String startKey, + @QueryParam("endKey")String endKey, + @QueryParam("maxResponseSize") String maxResponseSize, + @DefaultValue("-1") @QueryParam("startTime")long startTime, + @DefaultValue("-1") @QueryParam("endTime") long endTime, + @Context HttpServletResponse servlet_response) throws IOException { + + if (startKey == null || startKey.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'start key' must not be null or empty").build(); + + if (startKey == null || startKey.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'end key' must not be null or empty").build(); + + + byte[] response = null; + try { + IPcapScanner pcapScanner = PcapScannerHBaseImpl.getInstance(); + response = pcapScanner.getPcaps(startKey, endKey, + ConfigurationUtil.validateMaxResultSize(maxResponseSize), startTime, + endTime); + if (response == null || response.length == 0) { + + return Response.status(Response.Status.NO_CONTENT).build(); + + } + servlet_response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + } catch (IOException e) { + LOGGER.error( + "Exception occurred while fetching Pcaps for the key range : startKey=" + + startKey + ", endKey=" + endKey, e); + throw e; + } + // return http status '200 OK' along with the complete pcaps response file, + // and headers + + return Response + .ok(response, MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + } + + /* + * (non-Javadoc) + * + * @see + * com.cisco.opensoc.hbase.client.IPcapReceiver#getPcapsByIdentifiers(java.lang + * .String, java.lang.String, java.lang.String, java.lang.String, + * java.lang.String, long, long, boolean, + * javax.servlet.http.HttpServletResponse) + */ + + @GET + @Path("/pcapGetter/getPcapsByIdentifiers") + + public Response getPcapsByIdentifiers( + @QueryParam ("srcIp") String srcIp, + @QueryParam ("dstIp") String dstIp, + @QueryParam ("protocol") String protocol, + @QueryParam ("srcPort") String srcPort, + @QueryParam ("dstPort") String dstPort, + @DefaultValue("-1") @QueryParam ("startTime")long startTime, + @DefaultValue("-1") @QueryParam ("endTime")long endTime, + @DefaultValue("false") @QueryParam ("includeReverseTraffic") boolean includeReverseTraffic, + @Context HttpServletResponse servlet_response) + + throws IOException { + + if (srcIp == null || srcIp.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'srcIp' must not be null or empty").build(); + + if (dstIp == null || dstIp.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'dstIp' must not be null or empty").build(); + + if (protocol == null || protocol.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'protocol' must not be null or empty").build(); + + if (srcPort == null || srcPort.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'srcPort' must not be null or empty").build(); + + if (dstPort == null || dstPort.equals("")) + return Response.serverError().status(Response.Status.NO_CONTENT) + .entity("'dstPort' must not be null or empty").build(); + + + PcapsResponse response = null; + try { + String sessionKey = PcapUtils.getSessionKey(srcIp, dstIp, protocol, + srcPort, dstPort); + LOGGER.info("sessionKey =" + sessionKey); + IPcapGetter pcapGetter = PcapGetterHBaseImpl.getInstance(); + response = pcapGetter.getPcaps(Arrays.asList(sessionKey), null, + startTime, endTime, includeReverseTraffic, false, + ConfigurationUtil.getDefaultResultSize()); + if (response == null || response.getResponseSize() == 0) { + return Response.status(Response.Status.NO_CONTENT).build(); + } + servlet_response.setHeader(HEADER_CONTENT_DISPOSITION_NAME, + HEADER_CONTENT_DISPOSITION_VALUE); + + } catch (IOException e) { + LOGGER.error("Exception occurred while fetching Pcaps by identifiers :", + e); + throw e; + } + // return http status '200 OK' along with the complete pcaps response file, + // and headers + return Response + .ok(response.getPcaps(), MediaType.APPLICATION_OCTET_STREAM) + .status(200).build(); + } + /** + * This method parses the each value in the List using delimiter ',' and + * builds a new List;. + * + * @param keys + * list of keys to be parsed + * @return list of keys + */ + @VisibleForTesting + List parseKeys(List keys) { + // Assert.notEmpty(keys); + List parsedKeys = new ArrayList(); + for (String key : keys) { + parsedKeys.addAll(Arrays.asList(StringUtils.split( + StringUtils.trim(key), ","))); + } + return parsedKeys; + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java new file mode 100644 index 0000000000..b1f017981e --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapScannerHBaseImpl.java @@ -0,0 +1,302 @@ +package com.opensoc.pcapservice; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellUtil; +import org.apache.hadoop.hbase.MasterNotRunningException; +import org.apache.hadoop.hbase.ZooKeeperConnectionException; +import org.apache.hadoop.hbase.client.HTable; +import org.apache.hadoop.hbase.client.NoServerForRegionException; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.client.ResultScanner; +import org.apache.hadoop.hbase.client.Scan; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.log4j.Logger; +import org.springframework.util.Assert; + +import com.google.common.annotations.VisibleForTesting; +import com.opensoc.pcap.PcapMerger; + +/** + * Singleton class which integrates with HBase table and returns sorted pcaps + * based on the timestamp for the given range of keys. Creates HConnection if it + * is not already created and the same connection instance is being used for all + * requests + * + * @author sheetal + * @version $Revision: 1.0 $ + */ +public class PcapScannerHBaseImpl implements IPcapScanner { + + /** The Constant LOGGER. */ + private static final Logger LOGGER = Logger + .getLogger(PcapScannerHBaseImpl.class); + + /** The Constant DEFAULT_HCONNECTION_RETRY_LIMIT. */ + private static final int DEFAULT_HCONNECTION_RETRY_LIMIT = 0; + + /** The pcap scanner h base. */ + private static IPcapScanner pcapScannerHBase = null; + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapScanner#getPcaps(java.lang.String, + * java.lang.String, long, long, long) + */ + + public byte[] getPcaps(String startKey, String endKey, long maxResultSize, + long startTime, long endTime) throws IOException { + Assert.hasText(startKey, "startKey must no be null or empty"); + byte[] cf = Bytes.toBytes(ConfigurationUtil.getConfiguration() + .getString("hbase.table.column.family")); + byte[] cq = Bytes.toBytes(ConfigurationUtil.getConfiguration() + .getString("hbase.table.column.qualifier")); + // create scan request + Scan scan = createScanRequest(cf, cq, startKey, endKey, maxResultSize, + startTime, endTime); + List pcaps = new ArrayList(); + HTable table = null; + try { + pcaps = scanPcaps(pcaps, table, scan, cf, cq); + } catch (IOException e) { + LOGGER.error( + "Exception occurred while fetching Pcaps for the key range : startKey=" + + startKey + ", endKey=" + endKey, e); + if (e instanceof ZooKeeperConnectionException + || e instanceof MasterNotRunningException + || e instanceof NoServerForRegionException) { + int maxRetryLimit = getConnectionRetryLimit(); + for (int attempt = 1; attempt <= maxRetryLimit; attempt++) { + try { + HBaseConfigurationUtil.closeConnection(); // closing the existing + // connection and retry, + // it will create a new + // HConnection + pcaps = scanPcaps(pcaps, table, scan, cf, cq); + break; + } catch (IOException ie) { + if (attempt == maxRetryLimit) { + System.out.println("Throwing the exception after retrying " + + maxRetryLimit + " times."); + throw e; + } + } + } + } else { + throw e; + } + } finally { + if (table != null) { + table.close(); + } + } + if (pcaps.size() == 1) { + return pcaps.get(0); + } + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + PcapMerger.merge(baos, pcaps); + byte[] response = baos.toByteArray(); + return response; + } + + /** + * Creates the scan request. + * + * @param cf + * the cf + * @param cq + * the cq + * @param startKey + * the start key + * @param endKey + * the end key + * @param maxResultSize + * the max result size + * @param startTime + * the start time + * @param endTime + * the end time + * @return the scan + * @throws IOException + * Signals that an I/O exception has occurred. + */ + @VisibleForTesting + Scan createScanRequest(byte[] cf, byte[] cq, String startKey, String endKey, + long maxResultSize, long startTime, long endTime) throws IOException { + Scan scan = new Scan(); + scan.addColumn(cf, cq); + scan.setMaxVersions(ConfigurationUtil.getConfiguration().getInt( + "hbase.table.column.maxVersions")); + scan.setStartRow(startKey.getBytes()); + if (endKey != null) { + scan.setStopRow(endKey.getBytes()); + } + scan.setMaxResultSize(maxResultSize); + boolean setTimeRange = true; + if (startTime < 0 && endTime < 0) { + setTimeRange = false; + } + if (setTimeRange) { + if (startTime < 0) { + startTime = 0; + } else { + startTime = PcapHelper.convertToDataCreationTimeUnit(startTime); + } + if (endTime < 0) { + endTime = Long.MAX_VALUE; + } else { + endTime = PcapHelper.convertToDataCreationTimeUnit(endTime); + } + Assert.isTrue(startTime < endTime, + "startTime value must be less than endTime value"); + } + // create Scan request; + if (setTimeRange) { + scan.setTimeRange(startTime, endTime); + } + return scan; + } + + /** + * Scan pcaps. + * + * @param pcaps + * the pcaps + * @param table + * the table + * @param scan + * the scan + * @param cf + * the cf + * @param cq + * the cq + * @return the list + * @throws IOException + * Signals that an I/O exception has occurred. + */ + @VisibleForTesting + List scanPcaps(List pcaps, HTable table, Scan scan, + byte[] cf, byte[] cq) throws IOException { + LOGGER.info("Scan =" + scan.toString()); + table = (HTable) HBaseConfigurationUtil.getConnection().getTable( + ConfigurationUtil.getConfiguration().getString("hbase.table.name")); + ResultScanner resultScanner = table.getScanner(scan); + List scannedCells = new ArrayList(); + for (Result result = resultScanner.next(); result != null; result = resultScanner + .next()) { + List cells = result.getColumnCells(cf, cq); + if (cells != null) { + for (Cell cell : cells) { + scannedCells.add(cell); + } + } + } + Collections.sort(scannedCells, PcapHelper.getCellTimestampComparator()); + LOGGER.info("sorted cells :" + scannedCells.toString()); + for (Cell sortedCell : scannedCells) { + pcaps.add(CellUtil.cloneValue(sortedCell)); + } + return pcaps; + } + + /** + * Gets the connection retry limit. + * + * @return the connection retry limit + */ + private int getConnectionRetryLimit() { + return ConfigurationUtil.getConfiguration().getInt( + "hbase.hconnection.retries.number", DEFAULT_HCONNECTION_RETRY_LIMIT); + } + + /* + * (non-Javadoc) + * + * @see com.cisco.opensoc.hbase.client.IPcapScanner#getPcaps(java.lang.String, + * java.lang.String) + */ + + public byte[] getPcaps(String startKey, String endKey) throws IOException { + Assert.hasText(startKey, "startKey must no be null or empty"); + Assert.hasText(endKey, "endKey must no be null or empty"); + return getPcaps(startKey, endKey, ConfigurationUtil.getDefaultResultSize(), + -1, -1); + } + + /** + * Always returns the singleton instance. + * + * @return IPcapScanner singleton instance + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public static IPcapScanner getInstance() throws IOException { + if (pcapScannerHBase == null) { + synchronized (PcapScannerHBaseImpl.class) { + if (pcapScannerHBase == null) { + pcapScannerHBase = new PcapScannerHBaseImpl(); + } + } + } + return pcapScannerHBase; + } + + /** + * Instantiates a new pcap scanner h base impl. + */ + private PcapScannerHBaseImpl() { + } + + /** + * The main method. + */ + // public static void main(String[] args) throws IOException { + // if (args == null || args.length < 3) { + // usage(); + // return; + // } + // String outputFileName = null; + // String startKey = null; + // String stopKey = null; + // outputFileName = args[0]; + // startKey = args[1]; + // if (args.length > 2) { // NOPMD by sheetal on 1/29/14 3:55 PM + // stopKey = args[2]; + // } + // PcapScannerHBaseImpl downloader = new PcapScannerHBaseImpl(); + // byte[] pcaps = downloader.getPcaps(startKey, stopKey, defaultResultSize, 0, + // Long.MAX_VALUE); + // File file = new File(outputFileName); + // FileUtils.write(file, "", false); + // ByteArrayOutputStream baos = new ByteArrayOutputStream(); // + // $codepro.audit.disable + // // closeWhereCreated + // PcapMerger.merge(baos, pcaps); + // FileUtils.writeByteArrayToFile(file, baos.toByteArray(), true); + // } + + /** + * Usage. + */ + @SuppressWarnings("unused") + private static void usage() { + System.out.println("java " + PcapScannerHBaseImpl.class.getName() // NOPMD + // by + // sheetal + // + // on + // 1/29/14 + // 3:55 + // PM + + " [stop key]"); + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapsResponse.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapsResponse.java new file mode 100644 index 0000000000..10af9e0dec --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/PcapsResponse.java @@ -0,0 +1,153 @@ +/** + * + */ +package com.opensoc.pcapservice; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; + +import com.opensoc.pcap.PcapMerger; + + + +/** + * Holds pcaps data, status and the partial response key. + * + * @author Sayi + */ +public class PcapsResponse { + + /** + * The Enum Status. + */ + public enum Status { + + /** The partial. */ + PARTIAL, + /** The complete. */ + COMPLETE + }; + + /** response of the processed keys. */ + private List pcaps = new ArrayList();; + + /** partial response key. */ + private String lastRowKey; + + /** The status. */ + private Status status = Status.COMPLETE; + + /** + * Sets the pcaps. + * + * @param pcaps + * the new pcaps + */ + public void setPcaps(List pcaps) { + this.pcaps = pcaps; + } + + /** + * Adds the pcaps. + * + * @param pcaps + * the pcaps + */ + public void addPcaps(byte[] pcaps) { + this.pcaps.add(pcaps); + } + + /** + * Gets the partial response key. + * + * @return the partial response key + */ + public String getLastRowKey() { + return lastRowKey; + } + + /** + * Sets the partial response key. + * + * @param lastRowKey + * the last row key + */ + public void setLastRowKey(String lastRowKey) { + this.lastRowKey = lastRowKey; + } + + /** + * Gets the status. + * + * @return the status + */ + public Status getStatus() { + return status; + } + + /** + * Sets the status. + * + * @param status + * the new status + */ + public void setStatus(Status status) { + this.status = status; + } + + /** + * Checks if is resonse size within limit. + * + * @param maxResultSize + * the max result size + * @return true, if is resonse size within limit + */ + public boolean isResonseSizeWithinLimit(long maxResultSize) { + // System.out.println("isResonseSizeWithinLimit() : getResponseSize() < (input|default result size - maximum packet size ) ="+ + // getResponseSize()+ " < " + ( maxResultSize + // -ConfigurationUtil.getMaxRowSize())); + return getResponseSize() < (maxResultSize - ConfigurationUtil + .getMaxRowSize()); + } + + /** + * Gets the response size. + * + * @return the response size + */ + public long getResponseSize() { + long responseSize = 0; + for (byte[] pcap : this.pcaps) { + responseSize = responseSize + pcap.length; + } + return responseSize; + } + + /** + * Gets the pcaps. + * + * @return the pcaps + * @throws IOException + * Signals that an I/O exception has occurred. + */ + public byte[] getPcaps() throws IOException { + if (pcaps.size() == 1) { + return pcaps.get(0); + } + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + PcapMerger.merge(baos, pcaps); + return baos.toByteArray(); + } + + /* (non-Javadoc) + * @see java.lang.Object#toString() + */ + @Override + public String toString() { + return "PcapsResponse [lastRowKey=" + lastRowKey + + ", status=" + status + ", pcapsSize=" + + String.valueOf(getResponseSize()) + "]"; + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java new file mode 100644 index 0000000000..651affeae9 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/RestTestingUtil.java @@ -0,0 +1,238 @@ +package com.opensoc.pcapservice; + +import java.util.HashMap; +import java.util.Map; + +import org.springframework.http.HttpEntity; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; +import org.springframework.http.MediaType; +import org.springframework.http.ResponseEntity; +import org.springframework.web.client.RestTemplate; + +/** + * The Class RestTestingUtil. + */ +public class RestTestingUtil { + + /** The host name. */ + public static String hostName = null; + + /** + * Gets the pcaps by keys. + * + * @param keys + * the keys + * @return the pcaps by keys + */ + @SuppressWarnings("unchecked") + private static void getPcapsByKeys(String keys) { + System.out + .println("**********************getPcapsByKeys ******************************************************************************************"); + // 1. + String url = "http://" + hostName + + "/cisco-rest/pcapGetter/getPcapsByKeys?keys={keys}" + + "&includeReverseTraffic={includeReverseTraffic}" + + "&startTime={startTime}" + "&endTime={endTime}" + + "&maxResponseSize={maxResponseSize}"; + // default values + String startTime = "-1"; + String endTime = "-1"; + String maxResponseSize = "6"; + String includeReverseTraffic = "false"; + + @SuppressWarnings("rawtypes") + Map map = new HashMap(); + map.put("keys", keys); + map.put("includeReverseTraffic", includeReverseTraffic); + map.put("startTime", startTime); + map.put("endTime", endTime); + map.put("maxResponseSize", maxResponseSize); + + RestTemplate template = new RestTemplate(); + + // set headers and entity to send + HttpHeaders headers = new HttpHeaders(); + headers.set("Accept", MediaType.APPLICATION_OCTET_STREAM_VALUE); + HttpEntity requestEntity = new HttpEntity(headers); + + // 1. + ResponseEntity response1 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeys : request= \n response= %s \n", + keys, includeReverseTraffic, startTime, endTime, maxResponseSize, + response1); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + // 2. with reverse traffic + includeReverseTraffic = "true"; + map.put("includeReverseTraffic", includeReverseTraffic); + ResponseEntity response2 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeys : request= \n response= %s \n", + keys, includeReverseTraffic, startTime, endTime, maxResponseSize, + response2); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + // 3.with time range + startTime = System.getProperty("startTime", "-1"); + endTime = System.getProperty("endTime", "-1"); + map.put("startTime", startTime); + map.put("endTime", endTime); + ResponseEntity response3 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeys : request= \n response= %s \n", + keys, includeReverseTraffic, startTime, endTime, maxResponseSize, + response3); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + // 4.with maxResponseSize + maxResponseSize = System.getProperty("maxResponseSize", "6"); + map.put("maxResponseSize", maxResponseSize); + ResponseEntity response4 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeys : request= \n response= %s \n", + keys, includeReverseTraffic, startTime, endTime, maxResponseSize, + response4); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + } + + /** + * Gets the pcaps by keys range. + * + * @param startKey + * the start key + * @param endKey + * the end key + * @return the pcaps by keys range + */ + @SuppressWarnings("unchecked") + private static void getPcapsByKeysRange(String startKey, String endKey) { + System.out + .println("**********************getPcapsByKeysRange ******************************************************************************************"); + // 1. + String url = "http://" + hostName + + "/cisco-rest/pcapGetter/getPcapsByKeyRange?startKey={startKey}" + + "&endKey={endKey}" + "&startTime={startTime}" + "&endTime={endTime}" + + "&maxResponseSize={maxResponseSize}"; + // default values + String startTime = "-1"; + String endTime = "-1"; + String maxResponseSize = "6"; + @SuppressWarnings("rawtypes") + Map map = new HashMap(); + map.put("startKey", startKey); + map.put("endKey", "endKey"); + map.put("startTime", startTime); + map.put("endTime", endTime); + map.put("maxResponseSize", maxResponseSize); + + RestTemplate template = new RestTemplate(); + + // set headers and entity to send + HttpHeaders headers = new HttpHeaders(); + headers.set("Accept", MediaType.APPLICATION_OCTET_STREAM_VALUE); + HttpEntity requestEntity = new HttpEntity(headers); + + // 1. + ResponseEntity response1 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeysRange : request= \n response= %s \n", + startKey, endKey, startTime, endTime, maxResponseSize, response1); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + // 2. with time range + startTime = System.getProperty("startTime", "-1"); + endTime = System.getProperty("endTime", "-1"); + map.put("startTime", startTime); + map.put("endTime", endTime); + ResponseEntity response2 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeysRange : request= \n response= %s \n", + startKey, endKey, startTime, endTime, maxResponseSize, response2); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + // 3. with maxResponseSize + maxResponseSize = System.getProperty("maxResponseSize", "6"); + map.put("maxResponseSize", maxResponseSize); + ResponseEntity response3 = template.exchange(url, HttpMethod.GET, + requestEntity, byte[].class, map); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out + .format( + "getPcapsByKeysRange : request= \n response= %s \n", + startKey, endKey, startTime, endTime, maxResponseSize, response3); + System.out + .println("----------------------------------------------------------------------------------------------------"); + System.out.println(); + + } + + /** + * The main method. + * + * @param args + * the arguments + */ + public static void main(String[] args) { + + /* + * Run this program with system properties + * + * -DhostName=mon.hw.com:8090 + * -Dkeys=18800006-1800000b-06-0019-b39d,18800006- + * 1800000b-06-0050-5af6-64840-40785 + * -DstartKey=18000002-18800002-06-0436-0019-2440-34545 + * -DendKey=18000002-18800002-06-b773-0019-2840-34585 + */ + + hostName = System.getProperty("hostName"); + + String keys = System.getProperty("keys"); + + String statyKey = System.getProperty("startKey"); + String endKey = System.getProperty("endKey"); + + getPcapsByKeys(keys); + getPcapsByKeysRange(statyKey, endKey); + + } +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java new file mode 100644 index 0000000000..1fdb0252e5 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/JettyServiceRunner.java @@ -0,0 +1,26 @@ +package com.opensoc.pcapservice.rest; + +import java.util.HashSet; +import java.util.Set; + +import javax.ws.rs.core.Application; + +import com.opensoc.pcapservice.PcapReceiverImplRestEasy; + +public class JettyServiceRunner extends Application { + + + private static Set services = new HashSet(); + + public JettyServiceRunner() { + // initialize restful services + services.add(new PcapReceiverImplRestEasy()); + } + @Override + public Set getSingletons() { + return services; + } + public static Set getServices() { + return services; + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/PcapService.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/PcapService.java new file mode 100644 index 0000000000..5f47ead134 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/com/opensoc/pcapservice/rest/PcapService.java @@ -0,0 +1,34 @@ +package com.opensoc.pcapservice.rest; + +import java.io.IOException; + +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.servlet.ServletContextHandler; +import org.eclipse.jetty.servlet.ServletHolder; +import org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher; + +import com.opensoc.helpers.services.PcapServiceCli; + + +public class PcapService { + + public static void main(String[] args) throws IOException { + + PcapServiceCli cli = new PcapServiceCli(args); + cli.parse(); + + Server server = new Server(cli.getPort()); + ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS); + context.setContextPath("/"); + ServletHolder h = new ServletHolder(new HttpServletDispatcher()); + h.setInitParameter("javax.ws.rs.Application", "com.opensoc.pcapservice.rest.JettyServiceRunner"); + context.addServlet(h, "/*"); + server.setHandler(context); + try { + server.start(); + server.join(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/OnlyDeleteExpiredFilesCompactionPolicy.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/OnlyDeleteExpiredFilesCompactionPolicy.java new file mode 100644 index 0000000000..6b17410166 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/java/org/apache/hadoop/hbase/regionserver/compactions/OnlyDeleteExpiredFilesCompactionPolicy.java @@ -0,0 +1,37 @@ +package org.apache.hadoop.hbase.regionserver.compactions; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hbase.regionserver.compactions.RatioBasedCompactionPolicy; + +import java.io.IOException; +import java.util.ArrayList; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.regionserver.StoreConfigInformation; +import org.apache.hadoop.hbase.regionserver.StoreFile; + +public class OnlyDeleteExpiredFilesCompactionPolicy extends RatioBasedCompactionPolicy { + private static final Log LOG = LogFactory.getLog(OnlyDeleteExpiredFilesCompactionPolicy.class); + + /** + * Constructor. + * + * @param conf + * The Conf. + * @param storeConfigInfo + * Info about the store. + */ + public OnlyDeleteExpiredFilesCompactionPolicy(final Configuration conf, final StoreConfigInformation storeConfigInfo) { + super(conf, storeConfigInfo); + } + + @Override + final ArrayList applyCompactionPolicy(final ArrayList candidates, final boolean mayUseOffPeak, + final boolean mayBeStuck) throws IOException { + LOG.info("Sending empty list for compaction to avoid compaction and do only deletes of files older than TTL"); + + return new ArrayList(); + } + +} diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/config-definition-hbase.xml b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/config-definition-hbase.xml new file mode 100644 index 0000000000..efe05e8aba --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/config-definition-hbase.xml @@ -0,0 +1,34 @@ + + + +
    + + + + + + + + + + +
    + + + + + + + + + + + +     \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-config-default.properties b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-config-default.properties new file mode 100644 index 0000000000..4ee56b6622 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-config-default.properties @@ -0,0 +1,40 @@ +#hbase zoo keeper configuration +hbase.zookeeper.quorum=zkpr1,zkpr2,zkpr3 +hbase.zookeeper.clientPort=2181 +hbase.client.retries.number=1 +zookeeper.session.timeout=60000 +zookeeper.recovery.retry=0 + +#hbase table configuration +hbase.table.name=pcap +hbase.table.column.family=t +hbase.table.column.qualifier=pcap +hbase.table.column.maxVersions=5 + +# scan size limit configuration in MB or KB; if the input is negative or greater than max value throw an error. +hbase.scan.result.size.unit=MB +hbase.scan.default.result.size=6 +hbase.scan.max.result.size=60 + +# time stamp conversion configuration; possible values 'SECONDS'(seconds), 'MILLIS'(milli seconds), 'MICROS' (micro seconds) +hbase.table.data.time.unit=MILLIS + +#number of retries in case of ZooKeeper or HBase server down +hbase.hconnection.retries.number=3 + +#configuration for including pcaps in the reverse traffic +pcaps.include.reverse.traffic = false + +#maximum table row size in KB or MB +hbase.table.row.size.unit = KB +hbase.table.max.row.size = 70 + +# tokens of row key configuration +hbase.table.row.key.tokens=7 +rest.api.input.key.min.tokens=5 + +# whether or not to include the last row from the previous request, applicable for only partial response scenario +hbase.table.scan.include.duplicate.lastrow= true; + +#number of digits for appending tokens of the row key +hbase.table.row.key.token.appending.digits=5 diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-site.xml b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-site.xml new file mode 100644 index 0000000000..5c3c8197b7 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/hbase-site.xml @@ -0,0 +1,127 @@ + + + + hbase.tmp.dir + /disk/h/hbase + + + hbase.hregion.memstore.chunkpool.maxsize + 0.5 + + + hbase.regionserver.codecs + lzo,gz,snappy + + + hbase.hstore.flush.retries.number + 120 + + + hbase.client.keyvalue.maxsize + 10485760 + + + hbase.rootdir + hdfs://nn1:8020/apps/hbase/data + + + hbase.defaults.for.version.skip + true + + + hbase.client.scanner.caching + 100 + + + hbase.superuser + hbase + + + hfile.block.cache.size + 0.40 + + + hbase.regionserver.checksum.verify + true + + + hbase.hregion.memstore.mslab.enabled + true + + + hbase.hregion.max.filesize + 107374182400 + + + hbase.cluster.distributed + true + + + zookeeper.session.timeout + 30000 + + + zookeeper.znode.parent + /hbase-unsecure + + + hbase.regionserver.global.memstore.lowerLimit + 0.38 + + + hbase.regionserver.handler.count + 240 + + + hbase.hregion.memstore.mslab.chunksize + 8388608 + + + hbase.zookeeper.quorum + zkpr1,zkpr2,zkpr3 + + + hbase.zookeeper.useMulti + true + + + hbase.hregion.majorcompaction + 86400000 + + + hbase.hstore.blockingStoreFiles + 200 + + + hbase.zookeeper.property.clientPort + 2181 + + + hbase.hregion.memstore.flush.size + 134217728 + + + hbase.security.authorization + false + + + hbase.regionserver.global.memstore.upperLimit + 0.4 + + + hbase.hstore.compactionThreshold + 4 + + + hbase.hregion.memstore.block.multiplier + 8 + + + hbase.security.authentication + simple + + + dfs.client.read.shortcircuit + true + + \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/log4j.properties b/opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/log4j.properties similarity index 100% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/main/resources/log4j.properties rename to opensoc-streaming/OpenSOC-Pcap_Service/src/main/resources/log4j.properties diff --git a/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java new file mode 100644 index 0000000000..c2a4bf2ec5 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/CellTimestampComparatorTest.java @@ -0,0 +1,92 @@ +package com.opensoc.pcapservice; + +import junit.framework.Assert; + +import org.apache.hadoop.hbase.Cell; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +import com.opensoc.pcapservice.CellTimestampComparator; + +/** + * The Class CellTimestampComparatorTest. + */ +public class CellTimestampComparatorTest { + + /** + * Sets the up. + * + * @throws Exception + * the exception + */ + @Before + public void setUp() throws Exception { + } + + /** + * Tear down. + * + * @throws Exception + * the exception + */ + @After + public void tearDown() throws Exception { + } + + /** + * Test_less. + */ + @Test + public void test_less() { + // mocking + Cell cell1 = Mockito.mock(Cell.class); + Mockito.when(cell1.getTimestamp()).thenReturn(13945345808L); + Cell cell2 = Mockito.mock(Cell.class); + Mockito.when(cell2.getTimestamp()).thenReturn(13845345808L); + + CellTimestampComparator comparator = new CellTimestampComparator(); + + // actual call and verify + Assert.assertTrue(comparator.compare(cell2, cell1) == -1); + + } + + /** + * Test_greater. + */ + @Test + public void test_greater() { + // mocking + Cell cell1 = Mockito.mock(Cell.class); + Mockito.when(cell1.getTimestamp()).thenReturn(13745345808L); + Cell cell2 = Mockito.mock(Cell.class); + Mockito.when(cell2.getTimestamp()).thenReturn(13945345808L); + + CellTimestampComparator comparator = new CellTimestampComparator(); + + // actual call and verify + Assert.assertTrue(comparator.compare(cell2, cell1) == 1); + + } + + /** + * Test_equal. + */ + @Test + public void test_equal() { + // mocking + Cell cell1 = Mockito.mock(Cell.class); + Mockito.when(cell1.getTimestamp()).thenReturn(13945345808L); + Cell cell2 = Mockito.mock(Cell.class); + Mockito.when(cell2.getTimestamp()).thenReturn(13945345808L); + + CellTimestampComparator comparator = new CellTimestampComparator(); + + // actual call and verify + Assert.assertTrue(comparator.compare(cell2, cell1) == 0); + + } + +} diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/ConfigurationUtilTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/ConfigurationUtilTest.java similarity index 86% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/ConfigurationUtilTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/ConfigurationUtilTest.java index 48f39739bd..7adf3887fc 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/ConfigurationUtilTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/ConfigurationUtilTest.java @@ -1,10 +1,10 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import org.eclipse.jdt.internal.core.Assert; import org.junit.Test; -import com.cisco.opensoc.hbase.client.ConfigurationUtil; -import com.cisco.opensoc.hbase.client.ConfigurationUtil.SizeUnit; +import com.opensoc.pcapservice.ConfigurationUtil; +import com.opensoc.pcapservice.ConfigurationUtil.SizeUnit; /** * The Class ConfigurationUtilTest. diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtilTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseConfigurationUtilTest.java similarity index 90% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtilTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseConfigurationUtilTest.java index e8ec8f9c7e..91f87a9171 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseConfigurationUtilTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseConfigurationUtilTest.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.IOException; @@ -8,7 +8,7 @@ import org.junit.Test; import org.springframework.util.Assert; -import com.cisco.opensoc.hbase.client.HBaseConfigurationUtil; +import com.opensoc.pcapservice.HBaseConfigurationUtil; /** * The Class HBaseConfigurationUtilTest. diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseIntegrationTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseIntegrationTest.java similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseIntegrationTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseIntegrationTest.java index 3eb2bb0c39..75f8121257 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/HBaseIntegrationTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/HBaseIntegrationTest.java @@ -1,7 +1,7 @@ /** * */ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.IOException; diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImplTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapGetterHBaseImplTest.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImplTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapGetterHBaseImplTest.java index ea49d9ca4b..6e0ad9eab0 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapGetterHBaseImplTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapGetterHBaseImplTest.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.File; import java.io.IOException; @@ -19,8 +19,8 @@ import org.mockito.Mockito; import org.springframework.util.Assert; -import com.cisco.opensoc.hbase.client.PcapGetterHBaseImpl; -import com.cisco.opensoc.hbase.client.PcapsResponse; +import com.opensoc.pcapservice.PcapGetterHBaseImpl; +import com.opensoc.pcapservice.PcapsResponse; /** * The Class PcapGetterHBaseImplTest. @@ -424,8 +424,8 @@ public void test_createGetRequest() throws IOException { Assert.isTrue(Arrays.equals(get.getRow(), key.getBytes())); // compare in micros as the data creation time unit is set to Micros in // properties file. - Assert.isTrue(get.getTimeRange().getMin() == startTime * 1000 * 1000); - Assert.isTrue(get.getTimeRange().getMax() == endTime * 1000 * 1000); + Assert.isTrue(get.getTimeRange().getMin() == startTime * 1000 ); + Assert.isTrue(get.getTimeRange().getMax() == endTime * 1000 ); } /** @@ -465,7 +465,7 @@ public void test_createGetRequest_withStartTime() throws IOException { Assert.notNull(get); Assert.isTrue(Arrays.equals(get.getRow(), key.getBytes())); - Assert.isTrue(get.getTimeRange().getMin() == startTime * 1000 * 1000); + Assert.isTrue(get.getTimeRange().getMin() == startTime * 1000 ); Assert.isTrue(get.getTimeRange().getMax() == Long.valueOf(Long.MAX_VALUE)); } @@ -488,7 +488,7 @@ public void test_createGetRequest_withEndTime() throws IOException { Assert.isTrue(Arrays.equals(get.getRow(), key.getBytes())); Assert.isTrue(get.getTimeRange().getMin() == 0); - Assert.isTrue(get.getTimeRange().getMax() == endTime * 1000 * 1000); + Assert.isTrue(get.getTimeRange().getMax() == endTime * 1000 ); } /** @@ -520,12 +520,12 @@ public void test_createScanRequest() throws IOException { endTime, maxResultSize); // verify time range - Assert.isTrue(scan.getTimeRange().getMin() == startTime * 1000 * 1000); // compare + Assert.isTrue(scan.getTimeRange().getMin() == startTime * 1000 ); // compare // in - // micros - Assert.isTrue(scan.getTimeRange().getMax() == endTime * 1000 * 1000); // compare + // millis + Assert.isTrue(scan.getTimeRange().getMax() == endTime * 1000 ); // compare // in - // micros + // millis // verify start and stop rows Assert.isTrue(Arrays.equals(scan.getStartRow(), startKey.getBytes())); diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapHelperTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapHelperTest.java similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapHelperTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapHelperTest.java index 88392d13af..a1f6c04464 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapHelperTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapHelperTest.java @@ -1,7 +1,7 @@ /** * */ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.util.Arrays; import java.util.List; @@ -15,8 +15,8 @@ import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; -import com.cisco.opensoc.hbase.client.PcapHelper; -import com.cisco.opensoc.hbase.client.PcapHelper.TimeUnit; +import com.opensoc.pcapservice.PcapHelper; +import com.opensoc.pcapservice.PcapHelper.TimeUnit; // TODO: Auto-generated Javadoc /** @@ -266,7 +266,7 @@ public void test_convertToDataCreationTimeUnit_() { @Test public void test_getDataCreationTimeUnit() { TimeUnit dataCreationTimeUnit = PcapHelper.getDataCreationTimeUnit(); - Assert.isTrue(TimeUnit.MICROS == dataCreationTimeUnit); + Assert.isTrue(TimeUnit.MILLIS == dataCreationTimeUnit); } /** diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImplTest.java b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapScannerHBaseImplTest.java similarity index 98% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImplTest.java rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapScannerHBaseImplTest.java index 46f365a337..89bad6d61c 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/java/com/cisco/opensoc/hbase/client/PcapScannerHBaseImplTest.java +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/java/com/opensoc/pcapservice/PcapScannerHBaseImplTest.java @@ -1,4 +1,4 @@ -package com.cisco.opensoc.hbase.client; +package com.opensoc.pcapservice; import java.io.File; import java.io.IOException; @@ -16,8 +16,6 @@ import org.junit.Test; import org.mockito.Mockito; -import com.cisco.opensoc.hbase.client.PcapScannerHBaseImpl; - // TODO: Auto-generated Javadoc /** * The Class PcapScannerHBaseImplTest. @@ -97,7 +95,7 @@ public void test_createScanRequest_withTimestamps() throws IOException { maxResultSize, startTime, endTime); // verify - Assert.assertTrue(scan.getTimeRange().getMin() == 1376782349234555L); + Assert.assertTrue(scan.getTimeRange().getMin() == 1376782349234L); Assert.assertTrue(Arrays.equals(scan.getStartRow(), startKey.getBytes())); Assert.assertTrue(Arrays.equals(scan.getStopRow(), endKey.getBytes())); } diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/resources/hbase-config.properties b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/resources/hbase-config.properties similarity index 97% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/resources/hbase-config.properties rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/resources/hbase-config.properties index 0efd799576..66f9d54a09 100644 --- a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/resources/hbase-config.properties +++ b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/resources/hbase-config.properties @@ -17,7 +17,7 @@ hbase.scan.default.result.size=6 hbase.scan.max.result.size=60 # time stamp conversion configuration; possible values 'SECONDS'(seconds), 'MILLIS'(milli seconds), 'MICROS' (micro seconds) -hbase.table.data.time.unit=MICROS +hbase.table.data.time.unit=MILLIS #number of retries in case of ZooKeeper or HBase server down hbase.hconnection.retries.number=3 diff --git a/opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/resources/test-tcp-packet.pcap b/opensoc-streaming/OpenSOC-Pcap_Service/src/test/resources/test-tcp-packet.pcap similarity index 100% rename from opensoc-streaming/OpenSOC-PCAP_Reconstruction/hbase/src/test/resources/test-tcp-packet.pcap rename to opensoc-streaming/OpenSOC-Pcap_Service/src/test/resources/test-tcp-packet.pcap diff --git a/opensoc-streaming/OpenSOC-Topologies/pom.xml b/opensoc-streaming/OpenSOC-Topologies/pom.xml new file mode 100644 index 0000000000..3ec016f0c2 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/pom.xml @@ -0,0 +1,188 @@ + + + + 4.0.0 + + com.opensoc + OpenSOC-Streaming + 0.6BETA + + OpenSOC-Topologies + OpenSOC Topologies + + + 0.9.1.2.1.1.0-385 + 20040117.000000 + 1.10 + + + + github-snapshots + http://oss.sonatype.org/content/repositories/snapshots/ + + + + + com.opensoc + OpenSOC-Common + ${project.parent.version} + + + com.opensoc + OpenSOC-Alerts + ${project.parent.version} + + + com.opensoc + OpenSOC-EnrichmentAdapters + ${project.parent.version} + + + com.opensoc + OpenSOC-MessageParsers + ${project.parent.version} + + + com.opensoc + OpenSOC-Indexing + ${project.parent.version} + + + + org.apache.hadoop + hadoop-client + ${global_hadoop_version} + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.hadoop + hadoop-hdfs + ${global_hadoop_version} + + + org.slf4j + slf4j-log4j12 + + + + + org.apache.kafka + kafka_2.8.2 + ${global_kafka_version} + + + + log4j + log4j + + + + + org.apache.storm + storm-core + ${global_storm_version} + provided + + + org.apache.storm + storm-kafka + ${global_storm_version} + + + org.apache.storm + storm + ${global_storm_version} + pom + provided + + + + + com.github.ptgoetz + storm-hbase + 0.1.2 + + + + com.github.sheetaldolas + storm-hdfs + 0.0.7-SNAPSHOT + + + org.apache.storm + storm-core + + + org.apache.hadoop + hadoop-client + + + + + + + + + src/main/resources + + + + + + org.apache.maven.plugins + maven-shade-plugin + 1.4 + + true + + + + package + + shade + + + + + storm:storm-core:* + storm:storm-lib:* + *slf4j* + + + + + + .yaml + + + + + + + + + + + + + diff --git a/opensoc-streaming/OpenSOC-Topologies/readme.md b/opensoc-streaming/OpenSOC-Topologies/readme.md new file mode 100644 index 0000000000..feac62da2d --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/readme.md @@ -0,0 +1,47 @@ +#OpenSOC-Topologies + +#Module Description + +This module provides example topologies that show how to drive OpenSOC modules and components. The sample topologies provided are to process PCAP, Ise, Lancope, and Bro telemetries + +##Launching Topologies + + +``` + +storm jar OpenSOC-Topologies-0.6BETA.jar com.opensoc.topology.Pcap +storm jar OpenSOC-Topologies-0.6BETA.jar com.opensoc.topology.Sourcefire +storm jar OpenSOC-Topologies-0.6BETA.jar com.opensoc.topology.Lancope +storm jar OpenSOC-Topologies-0.6BETA.jar com.opensoc.topology.Ise + +Topology Options: +-config_path OPTIONAL ARGUMENT [/path/to/configs] Path to +configuration folder. If not provided topology +will initialize with default configs +-debug OPTIONAL ARGUMENT [true|false] Storm debugging +enabled. Default value is true +-generator_spout REQUIRED ARGUMENT [true|false] Turn on test +generator spout. Default is set to false. If +test generator spout is turned on then kafka +spout is turned off. Instead the generator +spout will read telemetry from file and ingest +it into a topology +-h Display help menue +-local_mode REQUIRED ARGUMENT [true|false] Local mode or +cluster mode. If set to true the topology will +run in local mode. If set to false the topology +will be deployed to Storm nimbus +``` + +##Topology Configs + +The sample topologies provided use a specific directory structure. The example directory structure was checked in here: + +``` +https://github.com/OpenSOC/opensoc-streaming/tree/master/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs +``` + +topology.conf - settings specific to each topology +features_enabled.conf - turn on and off features for each topology and control parallelism +metrics.conf - export definitions for metrics to Graphite +topology_dentifier.conf - customer-specific tag (since we deploy to multiple data centers we need to identify where the alerts are coming from and what topologies we are looking at when we need to debug) diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Asa.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Asa.java new file mode 100644 index 0000000000..68f0c89e4b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Asa.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.topology; + +import org.apache.commons.configuration.ConfigurationException; + +import backtype.storm.generated.InvalidTopologyException; + +import com.opensoc.topology.runner.AsaRunner; +import com.opensoc.topology.runner.TopologyRunner; + + +/** + * Topology for processing Asa messages + * + */ +public class Asa{ + + public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { + + TopologyRunner runner = new AsaRunner(); + runner.initTopology(args, "asa"); + } + +} diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/FireEye.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/FireEye.java new file mode 100644 index 0000000000..e1f489befc --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/FireEye.java @@ -0,0 +1,21 @@ +package com.opensoc.topology; + +import org.apache.commons.configuration.ConfigurationException; +import backtype.storm.generated.InvalidTopologyException; +import com.opensoc.topology.runner.FireEyeRunner; +import com.opensoc.topology.runner.TopologyRunner; + + +/** + * Topology for processing FireEye syslog messages + * + */ +public class FireEye { + + public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { + + TopologyRunner runner = new FireEyeRunner(); + runner.initTopology(args, "fireeye"); + } + +} diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Ise.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Ise.java index d1fca5560e..7bcd0c2811 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Ise.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Ise.java @@ -24,6 +24,10 @@ import com.opensoc.topology.runner.ISERunner; import com.opensoc.topology.runner.TopologyRunner; +/** + * Topology for processing Ise messages + * + */ public class Ise{ public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Lancope.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Lancope.java index 236836fe15..c3ecc54beb 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Lancope.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Lancope.java @@ -24,6 +24,11 @@ import com.opensoc.topology.runner.LancopeRunner; import com.opensoc.topology.runner.TopologyRunner; + +/** + * Topology for processing Lancope messages + * + */ public class Lancope{ public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/PaloAltoFirewall.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/PaloAltoFirewall.java new file mode 100644 index 0000000000..222cc29854 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/PaloAltoFirewall.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.topology; + +import org.apache.commons.configuration.ConfigurationException; + +import backtype.storm.generated.InvalidTopologyException; + +import com.opensoc.topology.runner.AsaRunner; +import com.opensoc.topology.runner.PaloAltoFirewallRunner; +import com.opensoc.topology.runner.TopologyRunner; + + +/** + * Topology for processing Palo Alto Firewall Syslog messages + * + */ +public class PaloAltoFirewall { + + public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { + + TopologyRunner runner = new PaloAltoFirewallRunner(); + runner.initTopology(args, "paloalto"); + } + +} diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Pcap.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Pcap.java index 4fbd7c050b..25328931fc 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Pcap.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/Pcap.java @@ -24,6 +24,12 @@ import com.opensoc.topology.runner.PcapRunner; import com.opensoc.topology.runner.TopologyRunner; + +/** + * Topology for processing raw packet messages + * + */ + public class Pcap{ public static void main(String[] args) throws ConfigurationException, Exception, InvalidTopologyException { diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/AsaRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/AsaRunner.java new file mode 100644 index 0000000000..8cc2db7479 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/AsaRunner.java @@ -0,0 +1,94 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.topology.runner; + +import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; +import com.opensoc.parsing.AbstractParserBolt; +import com.opensoc.parsing.TelemetryParserBolt; +import com.opensoc.test.spouts.GenericInternalTestSpout; + +public class AsaRunner extends TopologyRunner{ + + static String test_file_path = "SampleInput/AsaOutput"; + + @Override + public boolean initializeParsingBolt(String topology_name, + String name) { + try { + + String messageUpstreamComponent = messageComponents.get(messageComponents.size()-1); + + System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + + + AbstractParserBolt parser_bolt = new TelemetryParserBolt() + .withMessageParser(parser) + .withOutputFieldName(topology_name) + .withMessageFilter(new GenericMessageFilter()) + .withMetricConfig(config); + + builder.setBolt(name, parser_bolt, + config.getInt("bolt.parser.parallelism.hint")) + .shuffleGrouping(messageUpstreamComponent) + .setNumTasks(config.getInt("bolt.parser.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + + return true; + } + + @Override + public boolean initializeTestingSpout(String name) { + try { + + System.out.println("[OpenSOC] Initializing Test Spout"); + + GenericInternalTestSpout testSpout = new GenericInternalTestSpout() + .withFilename(test_file_path).withRepeating( + config.getBoolean("spout.test.parallelism.repeat")); + + builder.setSpout(name, testSpout, + config.getInt("spout.test.parallelism.hint")).setNumTasks( + config.getInt("spout.test.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + return true; + } + + + +} diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/BroRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/BroRunner.java index fd951b3ea4..c44801743e 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/BroRunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/BroRunner.java @@ -18,9 +18,9 @@ package com.opensoc.topology.runner; import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; import com.opensoc.parsing.AbstractParserBolt; import com.opensoc.parsing.TelemetryParserBolt; -import com.opensoc.parsing.parsers.BasicBroParser; import com.opensoc.test.spouts.GenericInternalTestSpout; public class BroRunner extends TopologyRunner{ @@ -36,8 +36,19 @@ public boolean initializeParsingBolt(String topology_name, System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + AbstractParserBolt parser_bolt = new TelemetryParserBolt() - .withMessageParser(new BasicBroParser()) + .withMessageParser(parser) .withOutputFieldName(topology_name) .withMessageFilter(new GenericMessageFilter()) .withMetricConfig(config); diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/FireEyeRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/FireEyeRunner.java new file mode 100644 index 0000000000..31026df39e --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/FireEyeRunner.java @@ -0,0 +1,77 @@ +package com.opensoc.topology.runner; + +import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; +import com.opensoc.parsing.AbstractParserBolt; +import com.opensoc.parsing.TelemetryParserBolt; +import com.opensoc.test.spouts.GenericInternalTestSpout; + +public class FireEyeRunner extends TopologyRunner{ + + static String test_file_path = "SampleInput/FireeyeExampleOutput"; + + @Override + public boolean initializeParsingBolt(String topology_name, + String name) { + try { + + String messageUpstreamComponent = messageComponents.get(messageComponents.size()-1); + + System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + + + AbstractParserBolt parser_bolt = new TelemetryParserBolt() + .withMessageParser(parser) + .withOutputFieldName(topology_name) + .withMessageFilter(new GenericMessageFilter()) + .withMetricConfig(config); + + builder.setBolt(name, parser_bolt, + config.getInt("bolt.parser.parallelism.hint")) + .shuffleGrouping(messageUpstreamComponent) + .setNumTasks(config.getInt("bolt.parser.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + + return true; + } + + @Override + public boolean initializeTestingSpout(String name) { + try { + + System.out.println("[OpenSOC] Initializing Test Spout"); + + GenericInternalTestSpout testSpout = new GenericInternalTestSpout() + .withFilename(test_file_path).withRepeating( + config.getBoolean("spout.test.parallelism.repeat")); + + builder.setSpout(name, testSpout, + config.getInt("spout.test.parallelism.hint")).setNumTasks( + config.getInt("spout.test.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + return true; + } + + + +} \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/ISERunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/ISERunner.java index 87a648dba9..7f377d5b83 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/ISERunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/ISERunner.java @@ -18,9 +18,9 @@ package com.opensoc.topology.runner; import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; import com.opensoc.parsing.AbstractParserBolt; import com.opensoc.parsing.TelemetryParserBolt; -import com.opensoc.parsing.parsers.BasicIseParser; import com.opensoc.test.spouts.GenericInternalTestSpout; public class ISERunner extends TopologyRunner{ @@ -36,8 +36,21 @@ public boolean initializeParsingBolt(String topology_name, System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + + AbstractParserBolt parser_bolt = new TelemetryParserBolt() - .withMessageParser(new BasicIseParser()) + .withMessageParser(parser) .withOutputFieldName(topology_name) .withMessageFilter(new GenericMessageFilter()) .withMetricConfig(config); diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/LancopeRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/LancopeRunner.java index ef73e13a2f..1031abffe4 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/LancopeRunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/LancopeRunner.java @@ -18,6 +18,7 @@ package com.opensoc.topology.runner; import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; import com.opensoc.parsing.AbstractParserBolt; import com.opensoc.parsing.TelemetryParserBolt; import com.opensoc.parsing.parsers.BasicLancopeParser; @@ -36,8 +37,20 @@ public boolean initializeParsingBolt(String topology_name, System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + AbstractParserBolt parser_bolt = new TelemetryParserBolt() - .withMessageParser(new BasicLancopeParser()) + .withMessageParser(parser) .withOutputFieldName(topology_name) .withMessageFilter(new GenericMessageFilter()) .withMetricConfig(config); diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PaloAltoFirewallRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PaloAltoFirewallRunner.java new file mode 100644 index 0000000000..0b6adadbf5 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PaloAltoFirewallRunner.java @@ -0,0 +1,95 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.opensoc.topology.runner; + +import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; +import com.opensoc.parsing.AbstractParserBolt; +import com.opensoc.parsing.TelemetryParserBolt; +import com.opensoc.test.spouts.GenericInternalTestSpout; + +public class PaloAltoFirewallRunner extends TopologyRunner{ + + static String test_file_path = "SampleInput/PaloaltoOutput"; + + @Override + public boolean initializeParsingBolt(String topology_name, + String name) { + try { + + String messageUpstreamComponent = messageComponents.get(messageComponents.size()-1); + + System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + + + + AbstractParserBolt parser_bolt = new TelemetryParserBolt() + .withMessageParser(parser) + .withOutputFieldName(topology_name) + .withMessageFilter(new GenericMessageFilter()) + .withMetricConfig(config); + + builder.setBolt(name, parser_bolt, + config.getInt("bolt.parser.parallelism.hint")) + .shuffleGrouping(messageUpstreamComponent) + .setNumTasks(config.getInt("bolt.parser.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + + return true; + } + + @Override + public boolean initializeTestingSpout(String name) { + try { + + System.out.println("[OpenSOC] Initializing Test Spout"); + + GenericInternalTestSpout testSpout = new GenericInternalTestSpout() + .withFilename(test_file_path).withRepeating( + config.getBoolean("spout.test.parallelism.repeat")); + + builder.setSpout(name, testSpout, + config.getInt("spout.test.parallelism.hint")).setNumTasks( + config.getInt("spout.test.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + return true; + } + + + +} diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PcapRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PcapRunner.java index 962048341d..a26a467e46 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PcapRunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/PcapRunner.java @@ -56,7 +56,9 @@ boolean initializeParsingBolt(String topology_name, String name) { System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); - builder.setBolt(name, new PcapParserBolt(), + PcapParserBolt pcapParser = new PcapParserBolt().withTsPrecision(config.getString("bolt.parser.ts.precision")); + + builder.setBolt(name, pcapParser, config.getInt("bolt.parser.parallelism.hint")) .setNumTasks(config.getInt("bolt.parser.num.tasks")) .shuffleGrouping(messageUpstreamComponent); diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/SourcefireRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/SourcefireRunner.java index 04d2fdf788..69b4581f74 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/SourcefireRunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/SourcefireRunner.java @@ -18,9 +18,9 @@ package com.opensoc.topology.runner; import com.opensoc.filters.GenericMessageFilter; +import com.opensoc.parser.interfaces.MessageParser; import com.opensoc.parsing.AbstractParserBolt; import com.opensoc.parsing.TelemetryParserBolt; -import com.opensoc.parsing.parsers.BasicSourcefireParser; import com.opensoc.test.spouts.GenericInternalTestSpout; public class SourcefireRunner extends TopologyRunner{ @@ -36,8 +36,21 @@ public boolean initializeParsingBolt(String topology_name, System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + String class_name = config.getString("bolt.parser.adapter"); + + if(class_name == null) + { + System.out.println("[OpenSOC] Parser adapter not set. Please set bolt.indexing.adapter in topology.conf"); + throw new Exception("Parser adapter not set"); + } + + Class loaded_class = Class.forName(class_name); + MessageParser parser = (MessageParser) loaded_class.newInstance(); + + AbstractParserBolt parser_bolt = new TelemetryParserBolt() - .withMessageParser(new BasicSourcefireParser()) + .withMessageParser(parser) .withOutputFieldName(topology_name) .withMessageFilter(new GenericMessageFilter()) .withMetricConfig(config); diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/TopologyRunner.java b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/TopologyRunner.java index 095d3be83b..72c2240e0a 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/TopologyRunner.java +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/java/com/opensoc/topology/runner/TopologyRunner.java @@ -17,14 +17,17 @@ */ package com.opensoc.topology.runner; +import java.lang.reflect.Constructor; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Stack; +import oi.thekraken.grok.api.Grok; + import org.apache.commons.configuration.Configuration; -import org.apache.commons.configuration.ConfigurationException; import org.apache.commons.configuration.PropertiesConfiguration; import org.apache.commons.lang.StringUtils; import org.apache.storm.hdfs.bolt.HdfsBolt; @@ -48,15 +51,18 @@ import backtype.storm.Config; import backtype.storm.LocalCluster; import backtype.storm.StormSubmitter; -import backtype.storm.generated.AlreadyAliveException; import backtype.storm.generated.Grouping; -import backtype.storm.generated.InvalidTopologyException; import backtype.storm.spout.RawScheme; import backtype.storm.spout.SchemeAsMultiScheme; import backtype.storm.topology.BoltDeclarer; import backtype.storm.topology.TopologyBuilder; import backtype.storm.tuple.Fields; +import com.esotericsoftware.kryo.serializers.FieldSerializer; +import com.esotericsoftware.kryo.serializers.MapSerializer; + + + import com.opensoc.alerts.TelemetryAlertsBolt; import com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter; import com.opensoc.alerts.interfaces.AlertsAdapter; @@ -64,17 +70,17 @@ import com.opensoc.enrichment.adapters.geo.GeoMysqlAdapter; import com.opensoc.enrichment.adapters.host.HostFromPropertiesFileAdapter; import com.opensoc.enrichment.adapters.whois.WhoisHBaseAdapter; +import com.opensoc.enrichment.adapters.threat.ThreatHbaseAdapter; import com.opensoc.enrichment.common.GenericEnrichmentBolt; import com.opensoc.enrichment.interfaces.EnrichmentAdapter; import com.opensoc.hbase.HBaseBolt; import com.opensoc.hbase.HBaseStreamPartitioner; import com.opensoc.hbase.TupleTableConfig; +import com.opensoc.helpers.topology.Cli; +import com.opensoc.helpers.topology.SettingsLoader; +import com.opensoc.index.interfaces.IndexAdapter; import com.opensoc.indexing.TelemetryIndexingBolt; -import com.opensoc.indexing.adapters.ESBaseBulkAdapter; -import com.opensoc.indexing.adapters.ESTimedRotatingAdapter; import com.opensoc.json.serialization.JSONKryoSerializer; -import com.opensoc.topologyhelpers.Cli; -import com.opensoc.topologyhelpers.SettingsLoader; public abstract class TopologyRunner { @@ -93,8 +99,7 @@ public abstract class TopologyRunner { protected Stack terminalComponents = new Stack(); public void initTopology(String args[], String subdir) - throws ConfigurationException, AlreadyAliveException, - InvalidTopologyException { + throws Exception { Cli command_line = new Cli(args); command_line.parse(); @@ -148,7 +153,7 @@ public void initTopology(String args[], String subdir) builder = new TopologyBuilder(); conf = new Config(); - conf.registerSerialization(JSONObject.class, JSONKryoSerializer.class); + conf.registerSerialization(JSONObject.class, MapSerializer.class); conf.setDebug(debug); System.out.println("[OpenSOC] Initializing Spout: " + topology_name); @@ -180,8 +185,8 @@ public void initTopology(String args[], String subdir) "spout.kafka"); } - if (config.getBoolean("parser.bolt.enabled", true)) { - String component_name = config.getString("parser.bolt.name", + if (config.getBoolean("bolt.parser.enabled", true)) { + String component_name = config.getString("bolt.parser.name", "DefaultTopologyParserBot"); success = initializeParsingBolt(topology_name, component_name); @@ -194,7 +199,7 @@ public void initTopology(String args[], String subdir) + " initialized with the following settings:"); SettingsLoader.printConfigOptions((PropertiesConfiguration) config, - "parser.bolt"); + "bolt.parser"); } if (config.getBoolean("bolt.enrichment.geo.enabled", false)) { @@ -259,6 +264,21 @@ public void initTopology(String args[], String subdir) SettingsLoader.printConfigOptions((PropertiesConfiguration) config, "bolt.enrichment.cif"); } + + if (config.getBoolean("bolt.enrichment.threat.enabled", false)) { + String component_name = config.getString( + "bolt.enrichment.threat.name", "DefaultThreatEnrichmentBolt"); + + success = initializeThreatEnrichment(topology_name, component_name); + messageComponents.add(component_name); + errorComponents.add(component_name); + + System.out.println("[OpenSOC] ------Component " + component_name + + " initialized with the following settings:"); + + SettingsLoader.printConfigOptions((PropertiesConfiguration) config, + "bolt.enrichment.threat"); + } if (config.getBoolean("bolt.alerts.enabled", false)) { String component_name = config.getString("bolt.alerts.name", @@ -392,6 +412,7 @@ public void initTopology(String args[], String subdir) } else { conf.setNumWorkers(config.getInt("num.workers")); + conf.setNumAckers(config.getInt("num.ackers")); StormSubmitter.submitTopology(topology_name, conf, builder.createTopology()); } @@ -486,7 +507,15 @@ public boolean initializeHbaseBolt(String name, String shuffleType) { private boolean initializeErrorIndexBolt(String component_name) { try { + + Class loaded_class = Class.forName(config.getString("bolt.error.indexing.adapter")); + IndexAdapter adapter = (IndexAdapter) loaded_class.newInstance(); + String dateFormat = "yyyy.MM"; + if (config.containsKey("bolt.alerts.indexing.timestamp")) { + dateFormat = config.getString("bolt.alerts.indexing.timestamp"); + } + TelemetryIndexingBolt indexing_bolt = new TelemetryIndexingBolt() .withIndexIP(config.getString("es.ip")) .withIndexPort(config.getInt("es.port")) @@ -495,8 +524,9 @@ private boolean initializeErrorIndexBolt(String component_name) { config.getString("bolt.error.indexing.indexname")) .withDocumentName( config.getString("bolt.error.indexing.documentname")) + .withIndexTimestamp(dateFormat) .withBulk(config.getInt("bolt.error.indexing.bulk")) - .withIndexAdapter(new ESBaseBulkAdapter()) + .withIndexAdapter(adapter) .withMetricConfiguration(config); BoltDeclarer declarer = builder @@ -553,10 +583,10 @@ private boolean initializeGeoEnrichment(String topology_name, String name) { System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); - List geo_keys = new ArrayList(); - geo_keys.add(config.getString("source.ip")); - geo_keys.add(config.getString("dest.ip")); - + + String[] keys_from_settings = config.getStringArray("bolt.enrichment.geo.fields"); + List geo_keys = new ArrayList(Arrays.asList(keys_from_settings)); + GeoMysqlAdapter geo_adapter = new GeoMysqlAdapter( config.getString("mysql.ip"), config.getInt("mysql.port"), config.getString("mysql.username"), @@ -569,9 +599,9 @@ private boolean initializeGeoEnrichment(String topology_name, String name) { .withOutputFieldName(topology_name) .withAdapter(geo_adapter) .withMaxTimeRetain( - config.getInt("bolt.enrichment.geo.MAX_TIME_RETAIN")) + config.getInt("bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES")) .withMaxCacheSize( - config.getInt("bolt.enrichment.geo.MAX_CACHE_SIZE")) + config.getInt("bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM")) .withKeys(geo_keys).withMetricConfiguration(config); builder.setBolt(name, geo_enrichment, @@ -614,9 +644,9 @@ private boolean initializeHostsEnrichment(String topology_name, config.getString("bolt.enrichment.host.enrichment_tag")) .withAdapter(host_adapter) .withMaxTimeRetain( - config.getInt("bolt.enrichment.host.MAX_TIME_RETAIN")) + config.getInt("bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES")) .withMaxCacheSize( - config.getInt("bolt.enrichment.host.MAX_CACHE_SIZE")) + config.getInt("bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM")) .withOutputFieldName(topology_name).withKeys(hosts_keys) .withMetricConfiguration(config); @@ -635,10 +665,23 @@ private boolean initializeHostsEnrichment(String topology_name, return true; } + @SuppressWarnings("rawtypes") private boolean initializeAlerts(String topology_name, String name, String alerts_path, JSONObject environment_identifier, JSONObject topology_identifier) { try { + + Class loaded_class = Class.forName(config.getString("bolt.alerts.adapter")); + Constructor constructor = loaded_class.getConstructor(new Class[] { Map.class}); + + Map settings = SettingsLoader.getConfigOptions((PropertiesConfiguration)config, config.getString("bolt.alerts.adapter") + "."); + + System.out.println("Adapter Settings: "); + SettingsLoader.printOptionalSettings(settings); + + AlertsAdapter alerts_adapter = (AlertsAdapter) constructor.newInstance(settings); + + String messageUpstreamComponent = messageComponents .get(messageComponents.size() - 1); @@ -650,10 +693,7 @@ private boolean initializeAlerts(String topology_name, String name, .generateAlertsIdentifier(environment_identifier, topology_identifier); - AlertsAdapter alerts_adapter = new HbaseWhiteAndBlacklistAdapter( - "ip_whitelist", "ip_blacklist", - config.getString("kafka.zk.list"), - config.getString("kafka.zk.port"), 3600, 1000); + TelemetryAlertsBolt alerts_bolt = new TelemetryAlertsBolt() .withIdentifier(alerts_identifier).withMaxCacheSize(1000) @@ -675,12 +715,21 @@ private boolean initializeAlerts(String topology_name, String name, } private boolean initializeAlertIndexing(String name) { + + try{ String messageUpstreamComponent = alertComponents.get(alertComponents .size() - 1); System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + Class loaded_class = Class.forName(config.getString("bolt.alerts.indexing.adapter")); + IndexAdapter adapter = (IndexAdapter) loaded_class.newInstance(); + String dateFormat = "yyyy.MM.dd"; + if (config.containsKey("bolt.alerts.indexing.timestamp")) { + dateFormat = config.getString("bolt.alerts.indexing.timestamp"); + } TelemetryIndexingBolt indexing_bolt = new TelemetryIndexingBolt() .withIndexIP(config.getString("es.ip")) .withIndexPort(config.getInt("es.port")) @@ -689,8 +738,9 @@ private boolean initializeAlertIndexing(String name) { config.getString("bolt.alerts.indexing.indexname")) .withDocumentName( config.getString("bolt.alerts.indexing.documentname")) + .withIndexTimestamp(dateFormat) .withBulk(config.getInt("bolt.alerts.indexing.bulk")) - .withIndexAdapter(new ESBaseBulkAdapter()) + .withIndexAdapter(adapter) .withMetricConfiguration(config); String alerts_name = config.getString("bolt.alerts.indexing.name"); @@ -698,6 +748,12 @@ private boolean initializeAlertIndexing(String name) { config.getInt("bolt.indexing.parallelism.hint")) .shuffleGrouping(messageUpstreamComponent, "alert") .setNumTasks(config.getInt("bolt.indexing.num.tasks")); + } + catch(Exception e) + { + e.printStackTrace(); + return false; + } return true; } @@ -748,12 +804,8 @@ private boolean initializeWhoisEnrichment(String topology_name, String name) { System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); - List whois_keys = new ArrayList(); - String[] keys_from_settings = config.getString( - "bolt.enrichment.whois.source").split(","); - - for (String key : keys_from_settings) - whois_keys.add(key); + String[] keys_from_settings = config.getString("bolt.enrichment.whois.fields").split(","); + List whois_keys = new ArrayList(Arrays.asList(keys_from_settings)); EnrichmentAdapter whois_adapter = new WhoisHBaseAdapter( config.getString("bolt.enrichment.whois.hbase.table.name"), @@ -766,9 +818,9 @@ private boolean initializeWhoisEnrichment(String topology_name, String name) { .withOutputFieldName(topology_name) .withAdapter(whois_adapter) .withMaxTimeRetain( - config.getInt("bolt.enrichment.whois.MAX_TIME_RETAIN")) + config.getInt("bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES")) .withMaxCacheSize( - config.getInt("bolt.enrichment.whois.MAX_CACHE_SIZE")) + config.getInt("bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM")) .withKeys(whois_keys).withMetricConfiguration(config); builder.setBolt(name, whois_enrichment, @@ -794,16 +846,34 @@ private boolean initializeIndexingBolt(String name) { System.out.println("[OpenSOC] ------" + name + " is initializing from " + messageUpstreamComponent); + + Class loaded_class = Class.forName(config.getString("bolt.indexing.adapter")); + IndexAdapter adapter = (IndexAdapter) loaded_class.newInstance(); + + Map settings = SettingsLoader.getConfigOptions((PropertiesConfiguration)config, "optional.settings.bolt.index.search."); + + if(settings != null && settings.size() > 0) + { + adapter.setOptionalSettings(settings); + System.out.println("[OpenSOC] Index Bolt picket up optional settings:"); + SettingsLoader.printOptionalSettings(settings); + } + // dateFormat defaults to hourly if not specified + String dateFormat = "yyyy.MM.dd.hh"; + if (config.containsKey("bolt.indexing.timestamp")) { + dateFormat = config.getString("bolt.indexing.timestamp"); + } TelemetryIndexingBolt indexing_bolt = new TelemetryIndexingBolt() .withIndexIP(config.getString("es.ip")) .withIndexPort(config.getInt("es.port")) .withClusterName(config.getString("es.clustername")) .withIndexName(config.getString("bolt.indexing.indexname")) + .withIndexTimestamp(dateFormat) .withDocumentName( config.getString("bolt.indexing.documentname")) .withBulk(config.getInt("bolt.indexing.bulk")) - .withIndexAdapter(new ESTimedRotatingAdapter()) + .withIndexAdapter(adapter) .withMetricConfiguration(config); builder.setBolt(name, indexing_bolt, @@ -819,6 +889,50 @@ private boolean initializeIndexingBolt(String name) { return true; } + + + private boolean initializeThreatEnrichment(String topology_name, String name) { + try { + + String messageUpstreamComponent = messageComponents + .get(messageComponents.size() - 1); + + System.out.println("[OpenSOC] ------" + name + + " is initializing from " + messageUpstreamComponent); + + String[] fields = config.getStringArray("bolt.enrichment.threat.fields"); + List threat_keys = new ArrayList(Arrays.asList(fields)); + + GenericEnrichmentBolt threat_enrichment = new GenericEnrichmentBolt() + .withEnrichmentTag( + config.getString("bolt.enrichment.threat.enrichment_tag")) + .withAdapter( + new ThreatHbaseAdapter(config + .getString("kafka.zk.list"), config + .getString("kafka.zk.port"), config + .getString("bolt.enrichment.threat.tablename"))) + .withOutputFieldName(topology_name) + .withEnrichmentTag(config.getString("bolt.enrichment.threat.enrichment_tag")) + .withKeys(threat_keys) + .withMaxTimeRetain( + config.getInt("bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES")) + .withMaxCacheSize( + config.getInt("bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM")) + .withMetricConfiguration(config); + + builder.setBolt(name, threat_enrichment, + config.getInt("bolt.enrichment.threat.parallelism.hint")) + .fieldsGrouping(messageUpstreamComponent, "message", + new Fields("key")) + .setNumTasks(config.getInt("bolt.enrichment.threat.num.tasks")); + + } catch (Exception e) { + e.printStackTrace(); + System.exit(0); + } + + return true; + } private boolean initializeCIFEnrichment(String topology_name, String name) { try { @@ -831,11 +945,15 @@ private boolean initializeCIFEnrichment(String topology_name, String name) { List cif_keys = new ArrayList(); - cif_keys.add(config.getString("source.ip")); - cif_keys.add(config.getString("dest.ip")); - cif_keys.add(config.getString("bolt.enrichment.cif.host")); - cif_keys.add(config.getString("bolt.enrichment.cif.email")); - + String[] ipFields = config.getStringArray("bolt.enrichment.cif.fields.ip"); + cif_keys.addAll(Arrays.asList(ipFields)); + + String[] hostFields = config.getStringArray("bolt.enrichment.cif.fields.host"); + cif_keys.addAll(Arrays.asList(hostFields)); + + String[] emailFields = config.getStringArray("bolt.enrichment.cif.fields.email"); + cif_keys.addAll(Arrays.asList(emailFields)); + GenericEnrichmentBolt cif_enrichment = new GenericEnrichmentBolt() .withEnrichmentTag( config.getString("bolt.enrichment.cif.enrichment_tag")) @@ -845,12 +963,11 @@ private boolean initializeCIFEnrichment(String topology_name, String name) { .getString("kafka.zk.port"), config .getString("bolt.enrichment.cif.tablename"))) .withOutputFieldName(topology_name) - .withEnrichmentTag("CIF_Enrichment") .withKeys(cif_keys) .withMaxTimeRetain( - config.getInt("bolt.enrichment.cif.MAX_TIME_RETAIN")) + config.getInt("bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES")) .withMaxCacheSize( - config.getInt("bolt.enrichment.cif.MAX_CACHE_SIZE")) + config.getInt("bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM")) .withMetricConfiguration(config); builder.setBolt(name, cif_enrichment, diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/features_enabled.conf new file mode 100644 index 0000000000..5b45ddef9a --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/features_enabled.conf @@ -0,0 +1,113 @@ +#Enable and disable features for each topology + +#Feature: Test spout +##Feature Description: Reads telemetry from file and ingests it into topology. Used for testing or bulk loading the topology + +spout.test.name=TestSpout +spout.test.enabled=true +spout.test.num.tasks=1 +spout.test.parallelism.hint=1 + +#Feature: Kafka spout +##Feature Description: Acts as a Kafka consumer. Takes messages from a Kafka topic and ingests them into a topology + +spout.kafka.name=KafkaSpout +spout.kafka.enabled=false +spout.kafka.num.tasks=1 +spout.kafka.parallelism.hint=1 + +#Feature: Parser Bolt +##Feature Description: Parses telemetry from its native format into a native JSON + +bolt.parser.name=ParserBolt +bolt.parser.enabled=true +bolt.parser.num.tasks=1 +bolt.parser.parallelism.hint=1 + +#Feature: Host Enrichment +##Feature Description: Appends information about known hosts to a telemetry message + +bolt.enrichment.host.name=HostEnrichment +bolt.enrichment.host.enabled=true +bolt.enrichment.host.num.tasks=1 +bolt.enrichment.host.parallelism.hint=1 + +#Feature: Geo Enrichment +##Feature Description: Appends geo information about known non-local IPs to a telemetry message + +bolt.enrichment.geo.name=GeoEnrichment +bolt.enrichment.geo.enabled=true +bolt.enrichment.geo.num.tasks=1 +bolt.enrichment.geo.parallelism.hint=1 + +#Feature: Whois Enrichment +##Feature Description: Appends whois information about known domains to a telemetry message + +bolt.enrichment.whois.name=WhoisEnrichment +bolt.enrichment.whois.enabled=false +bolt.enrichment.whois.num.tasks=1 +bolt.enrichment.whois.parallelism.hint=1 + +#Feature: CIF Enrichment +##Feature Description: Appends information from CIF threat intelligence feeds to a telemetry message + +bolt.enrichment.cif.name=SIFBolt +bolt.enrichment.cif.enabled=false +bolt.enrichment.cif.num.tasks=1 +bolt.enrichment.cif.parallelism.hint=1 + +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + +#Feature: Rules-Based Alerts +##Feature Description: Tags messages with rules-based alerts + +bolt.alerts.name=Alerts +bolt.alerts.enabled=true +bolt.alerts.num.tasks=1 +bolt.alerts.parallelism.hint=1 + +#Feature: Indexer +##Feature Description: Indexes telemetry messages in ElasticSearch or Solr + +bolt.indexing.name=IndexBolt +bolt.indexing.enabled=true +bolt.indexing.num.tasks=1 +bolt.indexing.parallelism.hint=1 + +#Feature: Alerts Indexer +##Feature Description: Indexes alert messages in ElasticSearch or Solr + +bolt.alerts.indexing.name=AlertIndexBolt +bolt.alerts.indexing.enabled=true +bolt.alerts.indexing.num.tasks=1 +bolt.alerts.indexing.parallelism.hint=1 + +#Feature: Error Indexer +##Feature Description: Indexes error messages in ElasticSearch or Solr + +bolt.error.indexing.name=ErrorIndexBolt +bolt.error.indexing.enabled=true +bolt.error.indexing.num.tasks=1 +bolt.error.indexing.parallelism.hint=1 + +#Feature: Kafka Bolt +##Feature Description: Writes telemetry messages back into a Kafka topic + +bolt.kafka.name=KafkaBolt +bolt.kafka.enabled=false +bolt.kafka.num.tasks=1 +bolt.kafka.parallelism.hint=1 + +#Feature: HDFS Bolt +##Feature Description: Writes telemetry messages into HDFS + +bolt.hdfs.name=HDFSBolt +bolt.hdfs.enabled=false +bolt.hdfs.num.tasks=1 +bolt.hdfs.parallelism.hint=1 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/metrics.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/metrics.conf new file mode 100644 index 0000000000..1daef3d889 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/metrics.conf @@ -0,0 +1,26 @@ +#reporters +com.opensoc.metrics.reporter.graphite=true +com.opensoc.metrics.reporter.console=false +com.opensoc.metrics.reporter.jmx=false + +#Graphite Addresses + +com.opensoc.metrics.graphite.address=localhost +com.opensoc.metrics.graphite.port=2023 + +#TelemetryParserBolt +com.opensoc.metrics.TelemetryParserBolt.acks=true +com.opensoc.metrics.TelemetryParserBolt.emits=true +com.opensoc.metrics.TelemetryParserBolt.fails=true + + +#GenericEnrichmentBolt +com.opensoc.metrics.GenericEnrichmentBolt.acks=true +com.opensoc.metrics.GenericEnrichmentBolt.emits=true +com.opensoc.metrics.GenericEnrichmentBolt.fails=true + + +#TelemetryIndexingBolt +com.opensoc.metrics.TelemetryIndexingBolt.acks=true +com.opensoc.metrics.TelemetryIndexingBolt.emits=true +com.opensoc.metrics.TelemetryIndexingBolt.fails=true diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology.conf new file mode 100644 index 0000000000..1720632cbf --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology.conf @@ -0,0 +1,110 @@ +include = ../../etc/env/environment_common.conf +include = ../../etc/env/es_connection.conf +include = ../../etc/env/hdfs_connection.conf +include = ../../etc/env/mysql_connection.conf +include = metrics.conf +include = features_enabled.conf + +#Global Properties + +debug.mode=true +local.mode=true +num.workers=1 + +#Standard 5-tuple fields + +source.ip=ip_src_addr +source.port=ip_src_port +dest.ip=ip_dst_addr +dest.port=ip_dst_port +protocol=protocol + +#Test Spout +spout.test.parallelism.repeat=false + +#Kafka Spout +spout.kafka.topic=asa_raw + +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.GrokAsaParser + +#Host Enrichment + +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.host.enrichment_tag=host + + +#GeoEnrichment + +bolt.enrichment.geo.enrichment_tag=geo +bolt.enrichment.geo.adapter.table=GEO +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr + +#WhoisEnrichment + +bolt.enrichment.whois.hbase.table.name=whois +bolt.enrichment.whois.enrichment_tag=whois +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 + +#CIF Enrichment +bolt.enrichment.cif.tablename=cif_table +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.cif.enrichment_tag=cif + +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat + +#Indexing Bolt +bolt.indexing.indexname=asa_index +bolt.indexing.timestamp=yyyy.MM.ww +bolt.indexing.documentname=asa_doc +bolt.indexing.bulk=1 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Indexing Bolt +bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp.yyyy.MM.ww +bolt.alerts.indexing.documentname=asa_alert +bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Error Indexing Bolt +bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM +bolt.error.indexing.documentname=asa_error +bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Bolt +bolt.alerts.adapter=com.opensoc.alerts.adapters.CIFAlertsAdapter +com.opensoc.alerts.adapters.CIFAlertsAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.CIFAlertsAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.CIFAlertsAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.CIFAlertsAdapter.port=2181 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_TIME_RETAIN_MINUTES=1000 + +#HDFS Bolt +bolt.hdfs.batch.size=5000 +bolt.hdfs.field.delimiter=| +bolt.hdfs.file.rotation.size.in.mb=5 +bolt.hdfs.file.system.url=hdfs://nn1:8020 +bolt.hdfs.wip.file.path=/asa/wip +bolt.hdfs.finished.file.path=/asa/rotated +bolt.hdfs.compression.codec.class=org.apache.hadoop.io.compress.SnappyCodec + +#Kafka Bolt +bolt.kafka.topic=asa_enriched \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology_identifier.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology_identifier.conf new file mode 100644 index 0000000000..68d3463c8b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/asa/topology_identifier.conf @@ -0,0 +1,4 @@ +#Each topology must have a unique identifier. This setting is required + +topology.id=asa +instance.id=A001 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/features_enabled.conf index ef677f3b61..5b45ddef9a 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/features_enabled.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/features_enabled.conf @@ -19,7 +19,7 @@ spout.kafka.parallelism.hint=1 #Feature: Parser Bolt ##Feature Description: Parses telemetry from its native format into a native JSON -parser.bolt.name=ParserBolt +bolt.parser.name=ParserBolt bolt.parser.enabled=true bolt.parser.num.tasks=1 bolt.parser.parallelism.hint=1 @@ -56,6 +56,14 @@ bolt.enrichment.cif.enabled=false bolt.enrichment.cif.num.tasks=1 bolt.enrichment.cif.parallelism.hint=1 +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + #Feature: Rules-Based Alerts ##Feature Description: Tags messages with rules-based alerts @@ -92,7 +100,7 @@ bolt.error.indexing.parallelism.hint=1 ##Feature Description: Writes telemetry messages back into a Kafka topic bolt.kafka.name=KafkaBolt -bolt.kafka.enabled=true +bolt.kafka.enabled=false bolt.kafka.num.tasks=1 bolt.kafka.parallelism.hint=1 @@ -100,6 +108,6 @@ bolt.kafka.parallelism.hint=1 ##Feature Description: Writes telemetry messages into HDFS bolt.hdfs.name=HDFSBolt -bolt.hdfs.enabled=true +bolt.hdfs.enabled=false bolt.hdfs.num.tasks=1 bolt.hdfs.parallelism.hint=1 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/topology.conf index 6012056b08..0012aea6ae 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/topology.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/bro/topology.conf @@ -26,13 +26,14 @@ spout.test.parallelism.repeat=false spout.kafka.topic=bro_raw #Parsing Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicBroParser source.include.protocols=snmp,http,ftp,ssh,ssl,dns,socks,dnp3,smtp,dhcp,modbus,radius,irc source.exclude.protocols=x509,files,app_stats #Host Enrichment -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host @@ -40,40 +41,88 @@ bolt.enrichment.host.enrichment_tag=host bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois -bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.fields=host,query +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table -bolt.enrichment.cif.host=tld -bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.fields.host=host,query +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,query,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat #Indexing Bolt bolt.indexing.indexname=bro_index +bolt.indexing.timestamp=yyyy.MM.ww bolt.indexing.documentname=bro_doc bolt.indexing.bulk=200 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Alerts Indexing Bolt bolt.alerts.indexing.indexname=alert bolt.alerts.indexing.documentname=bro_alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Error Indexing Bolt bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM bolt.error.indexing.documentname=bro_error bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Bolt + + +bolt.alerts.adapter=com.opensoc.alerts.adapters.ThreatAlertsAdapter +com.opensoc.alerts.adapters.ThreatAlertsAdapter.enrichment_tag=Threat_Enrichment +com.opensoc.alerts.adapters.ThreatAlertsAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.ThreatAlertsAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.ThreatAlertsAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.ThreatAlertsAdapter.port=2181 +com.opensoc.alerts.adapters.ThreatAlertsAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.ThreatAlertsAdapter._MAX_TIME_RETAIN_MINUTES=1000 + + +#bolt.alerts.adapter=com.opensoc.alerts.adapters.CIFAlertsAdapter +#com.opensoc.alerts.adapters.CIFAlertsAdapter.enrichment_tag=CIF_Enrichment +#com.opensoc.alerts.adapters.CIFAlertsAdapter.whitelist_table_name = ip_whitelist +#com.opensoc.alerts.adapters.CIFAlertsAdapter.blacklist_table_name = ip_blacklist +#com.opensoc.alerts.adapters.CIFAlertsAdapter.quorum=zkpr1,zkpr2,zkpr3 +#com.opensoc.alerts.adapters.CIFAlertsAdapter.port=2181 +#com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +#com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_TIME_RETAIN_MINUTES=1000 + +#bolt.alerts.adapter=com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter.whitelist_table_name = ip_whitelist +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter.blacklist_table_name = ip_blacklist +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter.quorum=zkpr1,zkpr2,zkpr3 +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter.port=2181 +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +#com.opensoc.alerts.adapters.HbaseWhiteAndBlacklistAdapter._MAX_TIME_RETAIN_MINUTES=1000 + + + + #HDFS Bolt bolt.hdfs.batch.size=5000 diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/features_enabled.conf new file mode 100644 index 0000000000..5b45ddef9a --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/features_enabled.conf @@ -0,0 +1,113 @@ +#Enable and disable features for each topology + +#Feature: Test spout +##Feature Description: Reads telemetry from file and ingests it into topology. Used for testing or bulk loading the topology + +spout.test.name=TestSpout +spout.test.enabled=true +spout.test.num.tasks=1 +spout.test.parallelism.hint=1 + +#Feature: Kafka spout +##Feature Description: Acts as a Kafka consumer. Takes messages from a Kafka topic and ingests them into a topology + +spout.kafka.name=KafkaSpout +spout.kafka.enabled=false +spout.kafka.num.tasks=1 +spout.kafka.parallelism.hint=1 + +#Feature: Parser Bolt +##Feature Description: Parses telemetry from its native format into a native JSON + +bolt.parser.name=ParserBolt +bolt.parser.enabled=true +bolt.parser.num.tasks=1 +bolt.parser.parallelism.hint=1 + +#Feature: Host Enrichment +##Feature Description: Appends information about known hosts to a telemetry message + +bolt.enrichment.host.name=HostEnrichment +bolt.enrichment.host.enabled=true +bolt.enrichment.host.num.tasks=1 +bolt.enrichment.host.parallelism.hint=1 + +#Feature: Geo Enrichment +##Feature Description: Appends geo information about known non-local IPs to a telemetry message + +bolt.enrichment.geo.name=GeoEnrichment +bolt.enrichment.geo.enabled=true +bolt.enrichment.geo.num.tasks=1 +bolt.enrichment.geo.parallelism.hint=1 + +#Feature: Whois Enrichment +##Feature Description: Appends whois information about known domains to a telemetry message + +bolt.enrichment.whois.name=WhoisEnrichment +bolt.enrichment.whois.enabled=false +bolt.enrichment.whois.num.tasks=1 +bolt.enrichment.whois.parallelism.hint=1 + +#Feature: CIF Enrichment +##Feature Description: Appends information from CIF threat intelligence feeds to a telemetry message + +bolt.enrichment.cif.name=SIFBolt +bolt.enrichment.cif.enabled=false +bolt.enrichment.cif.num.tasks=1 +bolt.enrichment.cif.parallelism.hint=1 + +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + +#Feature: Rules-Based Alerts +##Feature Description: Tags messages with rules-based alerts + +bolt.alerts.name=Alerts +bolt.alerts.enabled=true +bolt.alerts.num.tasks=1 +bolt.alerts.parallelism.hint=1 + +#Feature: Indexer +##Feature Description: Indexes telemetry messages in ElasticSearch or Solr + +bolt.indexing.name=IndexBolt +bolt.indexing.enabled=true +bolt.indexing.num.tasks=1 +bolt.indexing.parallelism.hint=1 + +#Feature: Alerts Indexer +##Feature Description: Indexes alert messages in ElasticSearch or Solr + +bolt.alerts.indexing.name=AlertIndexBolt +bolt.alerts.indexing.enabled=true +bolt.alerts.indexing.num.tasks=1 +bolt.alerts.indexing.parallelism.hint=1 + +#Feature: Error Indexer +##Feature Description: Indexes error messages in ElasticSearch or Solr + +bolt.error.indexing.name=ErrorIndexBolt +bolt.error.indexing.enabled=true +bolt.error.indexing.num.tasks=1 +bolt.error.indexing.parallelism.hint=1 + +#Feature: Kafka Bolt +##Feature Description: Writes telemetry messages back into a Kafka topic + +bolt.kafka.name=KafkaBolt +bolt.kafka.enabled=false +bolt.kafka.num.tasks=1 +bolt.kafka.parallelism.hint=1 + +#Feature: HDFS Bolt +##Feature Description: Writes telemetry messages into HDFS + +bolt.hdfs.name=HDFSBolt +bolt.hdfs.enabled=false +bolt.hdfs.num.tasks=1 +bolt.hdfs.parallelism.hint=1 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/metrics.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/metrics.conf new file mode 100644 index 0000000000..1daef3d889 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/metrics.conf @@ -0,0 +1,26 @@ +#reporters +com.opensoc.metrics.reporter.graphite=true +com.opensoc.metrics.reporter.console=false +com.opensoc.metrics.reporter.jmx=false + +#Graphite Addresses + +com.opensoc.metrics.graphite.address=localhost +com.opensoc.metrics.graphite.port=2023 + +#TelemetryParserBolt +com.opensoc.metrics.TelemetryParserBolt.acks=true +com.opensoc.metrics.TelemetryParserBolt.emits=true +com.opensoc.metrics.TelemetryParserBolt.fails=true + + +#GenericEnrichmentBolt +com.opensoc.metrics.GenericEnrichmentBolt.acks=true +com.opensoc.metrics.GenericEnrichmentBolt.emits=true +com.opensoc.metrics.GenericEnrichmentBolt.fails=true + + +#TelemetryIndexingBolt +com.opensoc.metrics.TelemetryIndexingBolt.acks=true +com.opensoc.metrics.TelemetryIndexingBolt.emits=true +com.opensoc.metrics.TelemetryIndexingBolt.fails=true diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology.conf new file mode 100644 index 0000000000..d50a079114 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology.conf @@ -0,0 +1,110 @@ +include = ../../etc/env/environment_common.conf +include = ../../etc/env/es_connection.conf +include = ../../etc/env/hdfs_connection.conf +include = ../../etc/env/mysql_connection.conf +include = metrics.conf +include = features_enabled.conf + +#Global Properties + +debug.mode=true +local.mode=true +num.workers=1 + +#Standard 5-tuple fields + +source.ip=ip_src_addr +source.port=ip_src_port +dest.ip=ip_dst_addr +dest.port=ip_dst_port +protocol=protocol + +#Test Spout +spout.test.parallelism.repeat=false + +#Kafka Spout +spout.kafka.topic=fireeye_raw + +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicFireEyeParser + +#Host Enrichment + +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.host.enrichment_tag=host + + +#GeoEnrichment + +bolt.enrichment.geo.enrichment_tag=geo +bolt.enrichment.geo.adapter.table=GEO +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr + +#WhoisEnrichment + +bolt.enrichment.whois.hbase.table.name=whois +bolt.enrichment.whois.enrichment_tag=whois +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 + +#CIF Enrichment +bolt.enrichment.cif.tablename=cif_table +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.cif.enrichment_tag=cif + +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat + +#Indexing Bolt +bolt.indexing.indexname=fireeye_index +bolt.indexing.timestamp=yyyy.MM.ww +bolt.indexing.documentname=fireeye_doc +bolt.indexing.bulk=1 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Indexing Bolt +bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww +bolt.alerts.indexing.documentname=fireeye_alert +bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Error Indexing Bolt +bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM +bolt.error.indexing.documentname=fireeye_error +bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Bolt +bolt.alerts.adapter=com.opensoc.alerts.adapters.CIFAlertsAdapter +com.opensoc.alerts.adapters.CIFAlertsAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.CIFAlertsAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.CIFAlertsAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.CIFAlertsAdapter.port=2181 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_TIME_RETAIN_MINUTES=1000 + +#HDFS Bolt +bolt.hdfs.batch.size=5000 +bolt.hdfs.field.delimiter=| +bolt.hdfs.file.rotation.size.in.mb=5 +bolt.hdfs.file.system.url=hdfs://nn1:8020 +bolt.hdfs.wip.file.path=/fireeye/wip +bolt.hdfs.finished.file.path=/fireeye/rotated +bolt.hdfs.compression.codec.class=org.apache.hadoop.io.compress.SnappyCodec + +#Kafka Bolt +bolt.kafka.topic=fireeye_enriched \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology_identifier.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology_identifier.conf new file mode 100644 index 0000000000..3f1e56028f --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/fireeye/topology_identifier.conf @@ -0,0 +1,4 @@ +#Each topology must have a unique identifier. This setting is required + +topology.id=fireeye +instance.id=FE001 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/features_enabled.conf index 486eea5a1f..730935d977 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/features_enabled.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/features_enabled.conf @@ -19,7 +19,7 @@ spout.kafka.parallelism.hint=1 #Feature: Parser Bolt ##Feature Description: Parses telemetry from its native format into a native JSON -parser.bolt.name=ParserBolt +bolt.parser.name=ParserBolt bolt.parser.enabled=true bolt.parser.num.tasks=1 bolt.parser.parallelism.hint=1 @@ -56,6 +56,14 @@ bolt.enrichment.cif.enabled=false bolt.enrichment.cif.num.tasks=1 bolt.enrichment.cif.parallelism.hint=1 +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + #Feature: Rules-Based Alerts ##Feature Description: Tags messages with rules-based alerts diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/topology.conf index 7fbc9ff965..f986bea67d 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/topology.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/ise/topology.conf @@ -25,12 +25,13 @@ spout.test.parallelism.repeat=false #Kafka Spout spout.kafka.topic=ise_raw - +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicIseParser #Host Enrichment -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host @@ -38,40 +39,54 @@ bolt.enrichment.host.enrichment_tag=host bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois -bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table -bolt.enrichment.cif.host=tld -bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat #Indexing Bolt bolt.indexing.indexname=ise_index +bolt.indexing.timestamp=yyyy.MM.ww bolt.indexing.documentname=ise_doc bolt.indexing.bulk=200 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Alerts Indexing Bolt bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww bolt.alerts.indexing.documentname=ise_alert bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Error Indexing Bolt bolt.error.indexing.indexname=error +bolt.error.indexing.timesatmp=yyyy.MM bolt.error.indexing.documentname=ise_error bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #HDFS Bolt bolt.hdfs.batch.size=5000 diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/features_enabled.conf index 765dde3cb9..a4dc14d1c6 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/features_enabled.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/features_enabled.conf @@ -19,7 +19,7 @@ spout.kafka.parallelism.hint=1 #Feature: Parser Bolt ##Feature Description: Parses telemetry from its native format into a native JSON -parser.bolt.name=ParserBolt +bolt.parser.name=ParserBolt bolt.parser.enabled=true bolt.parser.num.tasks=1 bolt.parser.parallelism.hint=1 @@ -56,6 +56,14 @@ bolt.enrichment.cif.enabled=false bolt.enrichment.cif.num.tasks=1 bolt.enrichment.cif.parallelism.hint=1 +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + #Feature: Rules-Based Alerts ##Feature Description: Tags messages with rules-based alerts diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/topology.conf index 8c50580f5f..7da2a4913e 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/topology.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/lancope/topology.conf @@ -25,12 +25,13 @@ spout.test.parallelism.repeat=false #Kafka Spout spout.kafka.topic=lancope_raw - +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicLancopeParser #Host Enrichment -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host @@ -38,40 +39,54 @@ bolt.enrichment.host.enrichment_tag=host bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois -bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table -bolt.enrichment.cif.host=tld -bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat #Indexing Bolt bolt.indexing.indexname=lancope_index +bolt.indexing.timestamp=yyyy.MM.ww bolt.indexing.documentname=lancope_doc bolt.indexing.bulk=200 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Alerts Indexing Bolt bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww bolt.alerts.indexing.documentname=lancope_alert bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Error Indexing Bolt bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM bolt.error.indexing.documentname=lancope_error bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #HDFS Bolt bolt.hdfs.batch.size=5000 diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/features_enabled.conf new file mode 100644 index 0000000000..29ea06d21b --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/features_enabled.conf @@ -0,0 +1,113 @@ +#Enable and disable features for each topology + +#Feature: Test spout +##Feature Description: Reads telemetry from file and ingests it into topology. Used for testing or bulk loading the topology + +spout.test.name=TestSpout +spout.test.enabled=true +spout.test.num.tasks=1 +spout.test.parallelism.hint=1 + +#Feature: Kafka spout +##Feature Description: Acts as a Kafka consumer. Takes messages from a Kafka topic and ingests them into a topology + +spout.kafka.name=KafkaSpout +spout.kafka.enabled=false +spout.kafka.num.tasks=1 +spout.kafka.parallelism.hint=1 + +#Feature: Parser Bolt +##Feature Description: Parses telemetry from its native format into a native JSON + +bolt.parser.name=ParserBolt +bolt.parser.enabled=true +bolt.parser.num.tasks=1 +bolt.parser.parallelism.hint=1 + +#Feature: Host Enrichment +##Feature Description: Appends information about known hosts to a telemetry message + +bolt.enrichment.host.name=HostEnrichment +bolt.enrichment.host.enabled=true +bolt.enrichment.host.num.tasks=1 +bolt.enrichment.host.parallelism.hint=1 + +#Feature: Geo Enrichment +##Feature Description: Appends geo information about known non-local IPs to a telemetry message + +bolt.enrichment.geo.name=GeoEnrichment +bolt.enrichment.geo.enabled=true +bolt.enrichment.geo.num.tasks=1 +bolt.enrichment.geo.parallelism.hint=1 + +#Feature: Whois Enrichment +##Feature Description: Appends whois information about known domains to a telemetry message + +bolt.enrichment.whois.name=WhoisEnrichment +bolt.enrichment.whois.enabled=true +bolt.enrichment.whois.num.tasks=1 +bolt.enrichment.whois.parallelism.hint=1 + +#Feature: CIF Enrichment +##Feature Description: Appends information from CIF threat intelligence feeds to a telemetry message + +bolt.enrichment.cif.name=CIFBolt +bolt.enrichment.cif.enabled=true +bolt.enrichment.cif.num.tasks=1 +bolt.enrichment.cif.parallelism.hint=1 + +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + +#Feature: Rules-Based Alerts +##Feature Description: Tags messages with rules-based alerts + +bolt.alerts.name=Alerts +bolt.alerts.enabled=true +bolt.alerts.num.tasks=1 +bolt.alerts.parallelism.hint=1 + +#Feature: Indexer +##Feature Description: Indexes telemetry messages in ElasticSearch or Solr + +bolt.indexing.name=IndexBolt +bolt.indexing.enabled=true +bolt.indexing.num.tasks=1 +bolt.indexing.parallelism.hint=1 + +#Feature: Alerts Indexer +##Feature Description: Indexes alert messages in ElasticSearch or Solr + +bolt.alerts.indexing.name=AlertIndexBolt +bolt.alerts.indexing.enabled=true +bolt.alerts.indexing.num.tasks=1 +bolt.alerts.indexing.parallelism.hint=1 + +#Feature: Error Indexer +##Feature Description: Indexes error messages in ElasticSearch or Solr + +bolt.error.indexing.name=ErrorIndexBolt +bolt.error.indexing.enabled=true +bolt.error.indexing.num.tasks=1 +bolt.error.indexing.parallelism.hint=1 + +#Feature: Kafka Bolt +##Feature Description: Writes telemetry messages back into a Kafka topic + +bolt.kafka.name=KafkaBolt +bolt.kafka.enabled=false +bolt.kafka.num.tasks=1 +bolt.kafka.parallelism.hint=1 + +#Feature: HDFS Bolt +##Feature Description: Writes telemetry messages into HDFS + +bolt.hdfs.name=HDFSBolt +bolt.hdfs.enabled=false +bolt.hdfs.num.tasks=1 +bolt.hdfs.parallelism.hint=1 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/metrics.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/metrics.conf new file mode 100644 index 0000000000..1daef3d889 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/metrics.conf @@ -0,0 +1,26 @@ +#reporters +com.opensoc.metrics.reporter.graphite=true +com.opensoc.metrics.reporter.console=false +com.opensoc.metrics.reporter.jmx=false + +#Graphite Addresses + +com.opensoc.metrics.graphite.address=localhost +com.opensoc.metrics.graphite.port=2023 + +#TelemetryParserBolt +com.opensoc.metrics.TelemetryParserBolt.acks=true +com.opensoc.metrics.TelemetryParserBolt.emits=true +com.opensoc.metrics.TelemetryParserBolt.fails=true + + +#GenericEnrichmentBolt +com.opensoc.metrics.GenericEnrichmentBolt.acks=true +com.opensoc.metrics.GenericEnrichmentBolt.emits=true +com.opensoc.metrics.GenericEnrichmentBolt.fails=true + + +#TelemetryIndexingBolt +com.opensoc.metrics.TelemetryIndexingBolt.acks=true +com.opensoc.metrics.TelemetryIndexingBolt.emits=true +com.opensoc.metrics.TelemetryIndexingBolt.fails=true diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology.conf new file mode 100644 index 0000000000..a92c7f3800 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology.conf @@ -0,0 +1,113 @@ +include = ../../etc/env/environment_common.conf +include = ../../etc/env/es_connection.conf +include = ../../etc/env/hdfs_connection.conf +include = ../../etc/env/mysql_connection.conf +include = metrics.conf +include = features_enabled.conf + +#Global Properties + +debug.mode=true +local.mode=true +num.workers=1 + +#Standard 5-tuple fields + +source.ip=ip_src_addr +source.port=ip_src_port +dest.ip=ip_dst_addr +dest.port=ip_dst_port +protocol=protocol + +#Test Spout +spout.test.parallelism.repeat=false + +#Kafka Spout +spout.kafka.topic=paloalto_raw + +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicPaloAltoFirewallParser + +#Host Enrichment + +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.host.enrichment_tag=host + + +#GeoEnrichment + +bolt.enrichment.geo.enrichment_tag=geo +bolt.enrichment.geo.adapter.table=GEO +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr + +#WhoisEnrichment + +bolt.enrichment.whois.hbase.table.name=whois +bolt.enrichment.whois.enrichment_tag=whois +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.whois.fields=host + +#CIF Enrichment +bolt.enrichment.cif.tablename=cif_table +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.cif.enrichment_tag=cif +bolt.enrichment.cif.host=host + + +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat + +#Indexing Bolt +bolt.indexing.indexname=paloalto_index +bolt.indexing.timestamp=yyyy.MM.ww +bolt.indexing.documentname=paloalto_doc +bolt.indexing.bulk=1 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Indexing Bolt +bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww +bolt.alerts.indexing.documentname=paloalto_alert +bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Error Indexing Bolt +bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp.yyyy.MM +bolt.error.indexing.documentname=paloalto_error +bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Bolt +bolt.alerts.adapter=com.opensoc.alerts.adapters.CIFAlertsAdapter +com.opensoc.alerts.adapters.CIFAlertsAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.CIFAlertsAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.CIFAlertsAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.CIFAlertsAdapter.port=2181 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.CIFAlertsAdapter._MAX_TIME_RETAIN_MINUTES=1000 + +#HDFS Bolt +bolt.hdfs.batch.size=5000 +bolt.hdfs.field.delimiter=| +bolt.hdfs.file.rotation.size.in.mb=5 +bolt.hdfs.file.system.url=hdfs://nn1:8020 +bolt.hdfs.wip.file.path=/paloalto/wip +bolt.hdfs.finished.file.path=/paloalto/rotated +bolt.hdfs.compression.codec.class=org.apache.hadoop.io.compress.SnappyCodec + +#Kafka Bolt +bolt.kafka.topic=paloalto_enriched \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology_identifier.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology_identifier.conf new file mode 100644 index 0000000000..7601122d25 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/paloalto/topology_identifier.conf @@ -0,0 +1,4 @@ +#Each topology must have a unique identifier. This setting is required + +topology.id=paloalto +instance.id=PA001 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/features_enabled.conf index a79d7ee0ac..9b41fa2741 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/features_enabled.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/features_enabled.conf @@ -19,7 +19,7 @@ spout.kafka.parallelism.hint=1 #Feature: Parser Bolt ##Feature Description: Parses telemetry from its native format into a native JSON -parser.bolt.name=ParserBolt +bolt.parser.name=ParserBolt bolt.parser.enabled=true bolt.parser.num.tasks=1 bolt.parser.parallelism.hint=1 @@ -56,6 +56,14 @@ bolt.enrichment.cif.enabled=false bolt.enrichment.cif.num.tasks=1 bolt.enrichment.cif.parallelism.hint=1 +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + #Feature: Rules-Based Alerts ##Feature Description: Tags messages with rules-based alerts diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/topology.conf index bd5bc592f5..30c3ef34c2 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/topology.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/pcap/topology.conf @@ -44,8 +44,8 @@ spout.kafka.topic=pcap_raw #Host Enrichment -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host @@ -53,40 +53,53 @@ bolt.enrichment.host.enrichment_tag=host bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.source=ip_src_addr,ip_dst_addr #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois -bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table -bolt.enrichment.cif.host=tld -bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif +bolt.enrichment.cif.ip=ip_src_addr,_ip_dst_addr +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat #Indexing Bolt -bolt.indexing.indexname=pcap_index_test +bolt.indexing.indexname=pcap_index +bolt.indexing.timestamp=yyyy.MM.dd.hh bolt.indexing.documentname=pcap_doc bolt.indexing.bulk=1 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Alerts Indexing Bolt bolt.alerts.indexing.indexname=pcap_alert_test bolt.alerts.indexing.documentname=pcap_alert bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESBaseBulkAdapter #Error Indexing Bolt -bolt.error.indexing.indexname=pcap_error_test +bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM bolt.error.indexing.documentname=pcap_error bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #HDFS Bolt bolt.hdfs.batch.size=5000 @@ -110,3 +123,28 @@ bolt.hbase.enable.batching=false bolt.hbase.write.buffer.size.in.bytes=2000000 bolt.hbase.durability=SKIP_WAL bolt.hbase.partitioner.region.info.refresh.interval.mins=60 + + +#Extra [Optional] Storm Configuration Options + +optional.settings.bolt.index.search.transport.tcp.compress=true +optional.settings.bolt.index.search.discovery.zen.ping.multicast.enabled:true +optional.settings.bolt.index.search.discovery.zen.ping.unicast.hosts=ctrl01:9300\,ctrl02:9300\,ctrl03:9300 +optional.settings.bolt.index.search.http.port=19200 +optional.settings.bolt.index.search.transport.tcp.port=19300 +optional.settings.bolt.index.search.node.name=node.name_{index} +optional.settings.bolt.index.search.path.data=/tmp/es_data_client_{index} +optional.settings.bolt.index.search.path.work=/tmp/es_work_client_{index} +optional.settings.bolt.index.search.path.logs=/var/log/elasticsearch/client_{index} +optional.settings.bolt.index.search.http.enabled=true +optional.settings.bolt.index.search.discovery.zen.minimum_master_nodes=1 +optional.settings.bolt.index.search.discovery.zen.ping.multicast.ttl=60 +optional.settings.bolt.index.search.discovery.zen.ping_timeout=500 +optional.settings.bolt.index.search.discovery.zen.fd.ping_timeout=500 +optional.settings.bolt.index.search.discovery.zen.fd.ping_interval=60 +optional.settings.bolt.index.search.discovery.zen.fd.ping_retries=60 +optional.settings.bolt.index.search.client.transport.ping_timeout=60s +optional.settings.bolt.index.search.multicast.enabled=false +optional.settings.bolt.index.search.index.refresh_interval=2m +optional.settings.bolt.index.search.index.merge.async=true +optional.settings.bolt.index.search.action.write_consistency=one diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/features_enabled.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/features_enabled.conf index f6c9ab8ed0..5b45ddef9a 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/features_enabled.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/features_enabled.conf @@ -19,7 +19,7 @@ spout.kafka.parallelism.hint=1 #Feature: Parser Bolt ##Feature Description: Parses telemetry from its native format into a native JSON -parser.bolt.name=ParserBolt +bolt.parser.name=ParserBolt bolt.parser.enabled=true bolt.parser.num.tasks=1 bolt.parser.parallelism.hint=1 @@ -56,6 +56,14 @@ bolt.enrichment.cif.enabled=false bolt.enrichment.cif.num.tasks=1 bolt.enrichment.cif.parallelism.hint=1 +#Feature: Threat Enrichment +##Feature Description: Appends information from Threat intelligence feeds to a telemetry message + +bolt.enrichment.threat.name=ThreatBolt +bolt.enrichment.threat.enabled=false +bolt.enrichment.threat.num.tasks=1 +bolt.enrichment.threat.parallelism.hint=1 + #Feature: Rules-Based Alerts ##Feature Description: Tags messages with rules-based alerts diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/topology.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/topology.conf index 02d77a1592..29d682aec4 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/topology.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/OpenSOC_Configs/topologies/sourcefire/topology.conf @@ -25,12 +25,13 @@ spout.test.parallelism.repeat=false #Kafka Spout spout.kafka.topic=sourcefire_raw - +#Parser Bolt +bolt.parser.adapter=com.opensoc.parsing.parsers.BasicSourcefireParser #Host Enrichment -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host @@ -38,40 +39,63 @@ bolt.enrichment.host.enrichment_tag=host bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.geo.fields=ip_src_addr,ip_dst_addr #WhoisEnrichment bolt.enrichment.whois.hbase.table.name=whois bolt.enrichment.whois.enrichment_tag=whois -bolt.enrichment.whois.source=tld -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.fields=host +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table -bolt.enrichment.cif.host=tld -bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.fields.host=host +bolt.enrichment.cif.fields.email=email +bolt.enrichment.cif.fields.ip=ip_src_addr,ip_dst_addr +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.cif.enrichment_tag=cif +#Threat Enrichment +bolt.enrichment.threat.tablename=threat_table +bolt.enrichment.threat.fields=host,ip_src_addr,ip_dst_addr +bolt.enrichment.threat.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.threat.MAX_TIME_RETAIN_MINUTES=10 +bolt.enrichment.threat.enrichment_tag=threat #Indexing Bolt bolt.indexing.indexname=sourcefire_index +bolt.indexing.timestamp=yyyy.MM.ww bolt.indexing.documentname=sourcefire_doc bolt.indexing.bulk=1 +bolt.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Alerts Indexing Bolt bolt.alerts.indexing.indexname=alert +bolt.alerts.indexing.timestamp=yyyy.MM.ww bolt.alerts.indexing.documentname=sourcefire_alert bolt.alerts.indexing.bulk=1 +bolt.alerts.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter #Error Indexing Bolt bolt.error.indexing.indexname=error +bolt.error.indexing.timestamp=yyyy.MM bolt.error.indexing.documentname=sourcefire_error bolt.error.indexing.bulk=1 +bolt.error.indexing.adapter=com.opensoc.indexing.adapters.ESTimedRotatingAdapter + +#Alerts Bolt +bolt.alerts.adapter=com.opensoc.alerts.adapters.AllAlertAdapter +com.opensoc.alerts.adapters.AllAlertAdapter.whitelist_table_name = ip_whitelist +com.opensoc.alerts.adapters.AllAlertAdapter.blacklist_table_name = ip_blacklist +com.opensoc.alerts.adapters.AllAlertAdapter.quorum=zkpr1,zkpr2,zkpr3 +com.opensoc.alerts.adapters.AllAlertAdapter.port=2181 +com.opensoc.alerts.adapters.AllAlertAdapter._MAX_CACHE_SIZE_OBJECTS_NUM=3600 +com.opensoc.alerts.adapters.AllAlertAdapter._MAX_TIME_RETAIN_MINUTES=1000 #HDFS Bolt bolt.hdfs.batch.size=5000 diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/AsaOutput b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/AsaOutput new file mode 100644 index 0000000000..6009d4888e --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/AsaOutput @@ -0,0 +1,100 @@ +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609001: Built local-host inside:10.22.8.205 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167725 for Outside_VPN:147.111.72.16/26436 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 9687 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805593 for outside:10.22.8.223/59614(LOCAL\user.name) to inside:10.22.8.78/8102 duration 0:00:07 bytes 3433 TCP FINs (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245503 for outside:10.22.8.233/54209 (10.22.8.233/54209) to inside:198.111.72.238/443 (198.111.72.238/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806031 for outside:10.22.8.17/58633 (10.22.8.17/58633)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168292 for DMZ-Inside:10.22.8.51/51231 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2103 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.226/45019 flags SYN ACK on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604987 for outside:209.111.72.151/443 to inside:10.22.8.188/64306 duration 0:00:31 bytes 10128 TCP FINs +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302014: Teardown TCP connection 17604999 for outside:209.111.72.151/443 to inside:10.22.8.188/64307 duration 0:00:30 bytes 6370 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167347 for Outside_VPN:198.111.72.24/2134 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9785 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245506 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.8/8612 (192.111.72.8/8612) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805993 for outside:10.22.8.89/56917(LOCAL\user.name) to inside:216.111.72.126/443 duration 0:00:00 bytes 0 TCP FINs (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/49192 to outside:224.111.72.252/5355 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488166143 for Outside_VPN:198.111.72.64/80 to Inside-Trunk:10.22.8.39/54883 duration 0:00:04 bytes 1148 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.84/445 to 10.22.8.219/60726 flags ACK on interface inside +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168344 for DMZ-Inside:10.22.8.53/61682 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5648 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168345 for DMZ-Inside:10.22.8.16/31454 to Inside-Trunk:10.22.8.21/443 duration 0:00:00 bytes 756 TCP FINs +<182>Jan 5 20:22:35 10.22.8.4 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.12/0 gaddr 10.22.8.45/1 laddr 10.22.8.45/1 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 50.111.72.230/80 to 204.111.72.254/53077 flags RST on interface Outside_VPN +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603649 for outside:206.111.72.2/161 to inside:10.22.8.48/63297 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603650 for outside:207.111.72.122/161 to inside:10.22.8.48/63298 duration 0:02:01 bytes 209 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603652 for outside:206.111.72.2/161 to inside:10.22.8.48/63300 duration 0:02:01 bytes 115 +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-302016: Teardown UDP connection 17603657 for outside:206.111.72.2/161 to inside:10.22.8.48/63306 duration 0:02:01 bytes 115 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168436 for DMZ-Inside:10.22.8.51/51235 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2497 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167656 for Outside_VPN:69.111.72.70/21560 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 11410 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806050 for outside:10.22.8.62/53965 (10.22.8.62/53965)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806052 for outside:10.22.8.62/56500 (10.22.8.62/56500)(LOCAL\user.name) to inside:198.111.72.83/443 (198.111.72.83/443) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806054 for outside:10.22.8.62/56502 (10.22.8.62/56502)(LOCAL\user.name) to inside:50.111.72.252/443 (50.111.72.252/443) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.188/64340 to outside:206.111.72.41/2013 +<166>Jan 5 15:52:35 10.22.8.33 %ASA-6-305012: Teardown dynamic UDP translation from inside:192.111.72.2/62251 to outside:79.111.72.174/21311 duration 0:02:30 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806058 for outside:10.22.8.221/56631 (10.22.8.221/56631)(LOCAL\user.name) to inside:10.22.8.26/389 (10.22.8.26/389) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168189 for Outside_VPN:209.111.72.10/56619 to DMZ-Inside:10.22.8.53/443 duration 0:00:00 bytes 2477 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.112/52235 to 198.111.72.227/80 flags ACK on interface Inside-Trunk +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167192 for Outside_VPN:115.111.72.7/49196 to DMZ-Inside:10.22.8.57/443 duration 0:00:02 bytes 20588 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212806055 for outside:10.22.8.62/55383(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 349 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168380 for Outside_VPN:74.111.72.12/443 to Inside-Trunk:10.22.8.39/54894 duration 0:00:00 bytes 5701 TCP FINs +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245522 for outside:10.22.8.147/56343 (10.22.8.147/56343) to inside:209.111.72.151/443 (209.111.72.151/443) (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168443 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.81/64713 duration 0:00:00 bytes 2426 TCP FINs +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488111566 for Outside_VPN:131.111.72.49/443 to Inside-Trunk:10.22.8.127/56558 duration 0:01:57 bytes 3614 TCP Reset-O +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806061 for outside:10.22.8.17/58635 (10.22.8.17/58635)(LOCAL\user.name) to inside:10.22.8.12/389 (10.22.8.12/389) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806010 for outside:10.22.8.33/60223(LOCAL\user.name) to inside:10.22.8.86/389 duration 0:00:00 bytes 416 TCP Reset-I (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806062 for outside:10.22.8.221/56632 (10.22.8.221/56632)(LOCAL\user.name) to inside:10.22.8.73/389 (10.22.8.73/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168231 for Outside_VPN:204.111.72.243/3011 to Inside-Trunk:10.22.8.208/60037 duration 0:00:00 bytes 19415 TCP FINs +<166>Jan 5 16:52:35 10.22.8.41 %ASA-6-302013: Built inbound TCP connection 45476108 for Outside:10.22.8.97/53484 (10.22.8.97/53484)(LOCAL\user.name) to Inside:141.111.72.70/7576 (141.111.72.70/7576) (user.name) +<174>Jan 5 14:52:35 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245527 for outside:10.22.8.97/65195 (10.22.8.97/65195) to inside:17.111.72.212/5223 (17.111.72.212/5223) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806018 for outside:10.22.8.17/58632(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 0 TCP FINs (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168562 for DMZ-Inside:10.22.8.51/51236 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 2273 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806065 for outside:10.22.8.62/59829 (10.22.8.62/59829)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212806067 for outside:10.22.8.143/62675 (10.22.8.143/62675)(LOCAL\user.name) to inside:141.111.72.12/389 (141.111.72.12/389) (user.name) +<167>Jan 5 08:52:35 10.22.8.216 %ASA-7-710005: UDP request discarded from 10.22.8.223/61122 to outside:224.111.72.252/5355 +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.143/0(LOCAL\user.name) gaddr 141.111.72.12/0 laddr 141.111.72.12/0 (user.name) +<142>Jan 5 08:52:35 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168547 for Outside_VPN:107.111.72.102/80 to Inside-Trunk:10.22.8.54/61676 duration 0:00:00 bytes 1030 TCP FINs +<166>Jan 5 08:52:35 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806078 for outside:10.22.8.221/56633 (10.22.8.221/56633)(LOCAL\user.name) to inside:10.22.8.20/389 (10.22.8.20/389) (user.name) +<166>Jan 5 09:52:35 10.22.8.12 %ASA-6-305011: Built dynamic TCP translation from inside:10.22.8.83/59915 to outside:206.111.72.41/22776 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168044 for Outside_VPN:50.111.72.39/80 to Inside-Trunk:10.22.8.75/60877 duration 0:00:01 bytes 13304 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488118326 for Outside_VPN:23.111.72.27/80 to Inside-Trunk:10.22.8.229/57901 duration 0:01:45 bytes 1942 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488160565 for Outside_VPN:72.111.72.29/80 to Inside-Trunk:10.22.8.42/57520 duration 0:00:15 bytes 1025 TCP FINs +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096423 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59096 duration 0:02:27 bytes 99347 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488095522 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59087 duration 0:02:29 bytes 154785 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488106557 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59134 duration 0:02:09 bytes 25319 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488096426 for Outside_VPN:72.111.72.43/80 to Inside-Trunk:10.22.8.127/59099 duration 0:02:27 bytes 26171 TCP Reset-O +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212806005 for outside:10.22.8.17/58630(LOCAL\user.name) to inside:10.22.8.12/389 duration 0:00:00 bytes 3942 TCP FINs (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302015: Built inbound UDP connection 212806085 for outside:10.22.8.143/54018 (10.22.8.143/54018)(LOCAL\user.name) to inside:10.22.8.85/53 (10.22.8.85/53) (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245537 for outside:10.22.8.110/49886 (10.22.8.110/49886) to inside:192.111.72.11/8612 (192.111.72.11/8612) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-106015: Deny TCP (no connection) from 10.22.8.85/58359 to 10.22.8.11/88 flags RST ACK on interface Outside +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.82/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799832 for outside:10.22.8.230/55549(LOCAL\user.name) to inside:10.22.8.11/389 duration 0:02:01 bytes 354 (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212799867 for outside:10.22.8.240/138(LOCAL\user.name) to inside:10.22.8.255/138 duration 0:02:01 bytes 214 (user.name) +<167>Jan 5 08:52:36 10.22.8.216 %ASA-7-609001: Built local-host inside:67.111.72.204 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245544 for outside:10.22.8.227/54540 (10.22.8.227/54540) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168135 for Outside_VPN:198.111.72.66/36797 to DMZ-Inside:10.22.8.53/80 duration 0:00:01 bytes 89039 TCP FINs +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302014: Teardown TCP connection 212805836 for outside:10.22.8.62/56471(LOCAL\user.name) to inside:208.111.72.1/443 duration 0:00:04 bytes 1700 TCP FINs (user.name) +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245546 for outside:10.22.8.227/54542 (10.22.8.227/54542) to inside:63.111.72.124/80 (63.111.72.124/80) (user.name) +<166>Jan 5 08:52:36 10.22.8.216 %ASA-6-302021: Teardown ICMP connection for faddr 10.22.8.74/0(LOCAL\user.name) gaddr 10.22.8.205/0 laddr 10.22.8.205/0 +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302020: Built outbound ICMP connection for faddr 10.22.8.96/2708 gaddr 10.22.8.30/0 laddr 10.22.8.30/0 +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168388 for DMZ-Inside:10.22.8.10/49771 to Inside-Trunk:10.22.8.128/443 duration 0:00:00 bytes 19132 TCP Reset-O +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488168692 for DMZ-Inside:10.22.8.53/61694 to Inside-Trunk:10.22.8.174/40004 duration 0:00:00 bytes 5660 TCP FINs +<174>Jan 5 14:52:36 10.22.8.212 %ASA-6-302013: Built inbound TCP connection 76245552 for outside:10.22.8.92/51042 (10.22.8.92/51042) to inside:10.22.8.193/9100 (10.22.8.193/9100) (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474680 for Outside:10.22.8.49/137(LOCAL\user.name) to Inside:10.22.8.12/137 duration 0:02:03 bytes 486 (user.name) +<166>Jan 5 16:52:36 10.22.8.41 %ASA-6-302016: Teardown UDP connection 45474694 for Outside:10.22.8.49/138(LOCAL\user.name) to Inside:10.22.8.12/138 duration 0:02:01 bytes 184 (user.name) +<142>Jan 5 08:52:36 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488167720 for Outside_VPN:198.111.72.75/1033 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9634 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488165627 for Outside_VPN:170.111.72.22/27463 to DMZ-Inside:10.22.8.53/443 duration 0:00:01 bytes 9756 TCP FINs +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302016: Teardown UDP connection 212805854 for outside:10.22.8.62/54704(LOCAL\user.name) to inside:10.22.8.85/53 duration 0:00:00 bytes 114 (user.name) +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302020: Built inbound ICMP connection for faddr 207.111.72.122/0 gaddr 206.111.72.24/512 laddr 10.22.8.57/512 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-302013: Built outbound TCP connection 17605397 for outside:69.111.72.0/80 (69.111.72.0/80) to inside:10.22.8.102/55659 (206.111.72.41/40627) +<174>Jan 5 14:52:32 10.22.8.212 %ASA-6-302015: Built inbound UDP connection 76245230 for outside:10.22.8.96/123 (10.22.8.96/123) to inside:10.22.8.12/123 (10.22.8.12/123) (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031413 for Outside_VPN:184.111.72.216/50341 to DMZ-Inside:10.22.8.57/443 duration 0:05:01 bytes 13543 TCP Reset-O +<166>Jan 5 16:52:32 10.22.8.41 %ASA-6-302020: Built inbound ICMP connection for faddr 10.22.8.95/1(LOCAL\user.name) gaddr 10.22.8.12/0 laddr 10.22.8.12/0 (user.name) +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030393 for DMZ-Inside:[10.22.8.10/57109 to Inside-Trunk:10.22.8.128/443 duration 0:05:04 bytes 13541 TCP Reset-O +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62156 to outside:206.111.72.41/19576 duration 0:00:44 +<166>Jan 5 09:52:32 10.22.8.12 %ASA-6-305012: Teardown dynamic TCP translation from inside:10.22.8.149/62159 to outside:206.111.72.41/39634 duration 0:00:44 +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488031793 for Outside_VPN:198.111.72.146/28026 to DMZ-Inside:10.22.8.53/443 duration 0:05:00 bytes 119 TCP FINs +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-302014: Teardown TCP connection 488030810 for DMZ-Inside:10.22.8.10/56930 to Inside-Trunk:10.22.8.128/443 duration 0:05:03 bytes 13543 TCP Reset-O +<142>Jan 5 08:52:32 10.22.8.201 %ASA-6-106015: Deny TCP (no connection) from 186.111.72.11/80 to 204.111.72.199/61438 flags SYN ACK on interface Outside_VPN +<166>Jan 5 08:52:32 10.22.8.216 %ASA-6-302013: Built inbound TCP connection 212805863 for outside:10.22.8.144/61999 (10.22.8.144/61999)(LOCAL\user.name) to inside:10.22.8.163/80 (10.22.8.163/80) (user.name) +<167>Jan 5 08:52:32 10.22.8.216 %ASA-7-609002: Teardown local-host inside:10.22.8.205 duration 0:00:00 \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/FireeyeExampleOutput b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/FireeyeExampleOutput new file mode 100644 index 0000000000..0210010760 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/FireeyeExampleOutput @@ -0,0 +1,90 @@ +<164>fenotify-3483808.2.alert: 1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP +<164>fenotify-793972.2.alert: ontrol: no-cache::~~::~~ dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Exploit.Kit.Magnitude +<164>fenotify-797180.2.alert: 0.8::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36::~~Accept-Encoding: gzip, deflate, sdch::~~Accept-Language: en-US,en;q\=0.8::~~::~~ dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Redirector +<164>fenotify-3483808.3.alert: /1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microads.me::~~Connection: Keep-Alive::~~::~~GET /files/microads/update/InjectScript.js HTTP/1.1::~~User-Agent: WinHttpClient::~~Host: www.microad cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=Malware.Binary +<164>fenotify-791429.2.alert: t: rapidvideohere.pw::~~Connection: Keep-Alive::~~::~~ dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Exploit.Kit.Magnitude +<164>fenotify-851777.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 00:27:43 UTC dvc=10.201.78.190 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61395 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851777 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851777 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851901.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:56:45 UTC dvc=10.201.78.6 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=59131 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851901 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851901 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851980.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:23:51 UTC dvc=10.201.78.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53295 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851980 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851980 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851795.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 02:19:05 UTC dvc=10.201.78.37 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54975 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851795 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851795 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851805.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 03:23:14 UTC dvc=10.201.78.113 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50807 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851805 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851805 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851844.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:19:41 UTC dvc=10.201.78.59 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50767 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851844 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851844 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851782.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 01:18:22 UTC dvc=10.201.78.59 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50940 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851782 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851782 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851940.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:57:19 UTC dvc=10.201.78.85 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50646 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851940 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851940 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851881.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:13:15 UTC dvc=10.201.78.84 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61237 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851881 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851881 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851839.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 05:33:19 UTC dvc=10.201.78.10 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49186 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851839 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851839 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851983.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:28:26 UTC dvc=10.201.78.57 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54527 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851983 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851983 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851987.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:33:41 UTC dvc=10.201.78.113 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51218 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851987 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851987 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852010.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 13:15:08 UTC dvc=10.201.78.12 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=55203 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852010 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852010 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852053.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:16:45 UTC dvc=10.201.78.84 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62235 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852053 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852053 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852455.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:28:38 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=65175 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852455 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852455 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851887.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:24:54 UTC dvc=10.201.78.44 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=56334 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851887 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851887 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851822.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:41:49 UTC dvc=10.201.78.54 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49732 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851822 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851822 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851832.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 05:19:15 UTC dvc=10.201.78.160 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62962 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851832 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851832 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851780.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 00:56:46 UTC dvc=10.201.78.12 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54301 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851780 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851780 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851792.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 02:15:06 UTC dvc=10.201.78.194 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=64831 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851792 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851792 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851806.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 03:24:05 UTC dvc=10.201.78.57 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53417 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851806 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851806 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851840.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:00:58 UTC dvc=10.201.78.40 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50709 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851840 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851840 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851929.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:37:14 UTC dvc=10.201.78.87 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62909 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851929 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851929 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851918.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:17:41 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=63483 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851918 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851918 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851842.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:03:05 UTC dvc=10.201.78.68 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=59908 dvc=10.100.25.16 smac=00:00:0c:07:ac:5a cn1Label=vlan cn1=0 externalId=851842 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851842 dmac=00:09:0f:33:4f:48 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851948.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 11:13:18 UTC dvc=10.201.78.86 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51327 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851948 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851948 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852008.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 13:13:25 UTC dvc=10.201.78.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=63619 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852008 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852008 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852072.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:30:09 UTC dvc=10.201.78.37 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53467 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=852072 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852072 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852077.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:31:58 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=58546 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=852077 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852077 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852110.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:56:32 UTC dvc=10.201.78.160 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61983 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=852110 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852110 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852378.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:03:31 UTC dvc=10.201.78.85 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49942 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852378 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852378 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851787.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 01:57:21 UTC dvc=10.201.78.44 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=55199 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851787 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851787 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851800.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 02:54:32 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50605 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851800 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851800 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851941.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:58:30 UTC dvc=10.201.78.54 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51721 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851941 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851941 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851850.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:29:59 UTC dvc=10.201.78.113 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50606 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851850 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851850 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851885.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:22:40 UTC dvc=10.201.78.37 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53481 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851885 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851885 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851801.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 02:55:09 UTC dvc=10.201.78.6 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=59875 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851801 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851801 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851884.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:20:10 UTC dvc=10.201.78.194 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50039 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851884 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851884 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851815.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:06:05 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53889 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851815 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851815 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851825.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:49:07 UTC dvc=10.201.78.85 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51906 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851825 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851825 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851966.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 11:50:43 UTC dvc=10.201.78.10 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50758 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851966 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851966 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852112.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:58:20 UTC dvc=10.201.78.6 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60631 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852112 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852112 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852126.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 15:03:43 UTC dvc=10.201.78.60 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=65017 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=852126 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852126 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852407.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:15:10 UTC dvc=10.201.78.54 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49620 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852407 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852407 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852417.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:17:11 UTC dvc=10.201.78.86 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51333 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852417 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852417 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852431.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:20:08 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53525 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852431 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852431 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852438.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:21:21 UTC dvc=10.201.78.84 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62464 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852438 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852438 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-3483822.1.alert: CEF:0|FireEye|CMS|7.2.1.244420|MO|malware-object|4|rt=Feb 09 2015 07:24:06 UTC dvc=10.201.78.216 cn3Label=cncPort cn3=80 dst=191.235.179.140 fileHash=6126d97e5bd4e6d93e3e3579cc5b3ce0 filePath=/analysis/191.235.179.140_80-10.220.55.216_56118--833719413_9204551_T.pcoff cs5Label=cncHost cs5=api.shamenchik.info cs3Label=osinfo cs3=Microsoft WindowsXP 32-bit 5.1 sp3 14.0528 proto=tcp dvchost=DEVFEYE1 dvc=10.100.25.16 cn1Label=vlan cn1=0 externalId=3483822 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ma_id\=3483822 cs6Label=channel cs6=POST /api/sdm HTTP/1.1::~~Content-Type: application/x-json::~~Accept: */*::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)::~~Host: api.shamenchik.info::~~Content-Length: 800::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~~g+3CouWsTcAym6cirpXcrPeCqh2q2xYh//aNKX15/lgvTM +<164>fenotify-851890.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:36:36 UTC dvc=10.201.78.160 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=63018 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851890 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851890 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851861.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 07:11:45 UTC dvc=10.201.78.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62660 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851861 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851861 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851781.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 01:10:09 UTC dvc=10.201.78.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=63319 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851781 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851781 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851837.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 05:30:01 UTC dvc=10.201.78.60 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49533 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851837 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851837 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851846.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:26:50 UTC dvc=10.201.78.57 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=53933 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851846 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851846 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851920.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:26:37 UTC dvc=10.201.78.51 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60410 dvc=10.100.25.16 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=0 externalId=851920 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851920 dmac=5c:5e:ab:eb:ab:0d cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851818.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:25:02 UTC dvc=10.201.78.51 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60319 dvc=10.100.25.16 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=0 externalId=851818 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851818 dmac=5c:5e:ab:eb:ab:0d cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851866.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 07:13:28 UTC dvc=10.201.78.12 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54836 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851866 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851866 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851773.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 00:01:29 UTC dvc=10.201.78.68 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60239 dvc=10.100.25.16 smac=00:00:0c:07:ac:5a cn1Label=vlan cn1=0 externalId=851773 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851773 dmac=00:09:0f:33:4f:48 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851935.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 10:48:18 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54362 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851935 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851935 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851970.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:04:50 UTC dvc=10.201.78.40 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50327 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851970 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851970 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851975.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:21:18 UTC dvc=10.201.78.59 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=51420 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851975 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851975 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852454.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 17:28:34 UTC dvc=10.201.78.44 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=55348 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852454 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852454 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-3483798.2.alert: act;Trojan.Kuloz;Trojan.Kuluoz +<164>fenotify-834781.2.alert: Connection: Keep-Alive::~~::~~ dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Malicious.URL +<164>fenotify-3483794.3.alert: 0d3cc7cc055f8d686a1b5d5c30db85c5423620e6bd231d592266782cf5e1647ae575e77b HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: 5aqobwcp1xuqztwht.0eq0w6k.com::~~Connection: Keep-Alive::~~::~~ cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_Evasion_Sandboxie;FE_Evasion_VMDetect +<164>fenotify-3483796.2.alert: jan.Kuloz;Trojan.Kuluoz +<164>fenotify-851894.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:45:48 UTC dvc=10.201.78.60 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=49433 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851894 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851894 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851899.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 08:54:50 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50711 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851899 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851899 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851851.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:31:05 UTC dvc=10.201.78.190 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61134 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851851 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851851 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851845.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 06:20:46 UTC dvc=10.201.78.20 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=55294 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851845 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851845 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851789.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 02:03:48 UTC dvc=10.201.78.84 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=62782 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851789 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851789 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851820.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:33:45 UTC dvc=10.201.78.87 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=63559 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851820 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851820 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851828.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 05:09:07 UTC dvc=10.201.78.86 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=52967 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=851828 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851828 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851816.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 04:16:05 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61806 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851816 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851816 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851831.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 05:14:31 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=58655 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851831 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851831 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851950.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 11:16:07 UTC dvc=10.201.78.11 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=58855 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=851950 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851950 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-851988.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 12:35:26 UTC dvc=10.201.78.190 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61427 dvc=10.100.25.16 smac=00:00:0c:07:ac:00 cn1Label=vlan cn1=0 externalId=851988 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=851988 dmac=00:1d:a2:af:32:a1 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852013.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 13:18:29 UTC dvc=10.201.78.34 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=61630 dvc=10.100.25.5 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=143 externalId=852013 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852013 dmac=00:1b:17:00:09:01 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852070.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:27:45 UTC dvc=10.201.78.44 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=54769 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852070 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852070 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852082.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:35:15 UTC dvc=10.201.78.68 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60922 dvc=10.100.25.16 smac=00:00:0c:07:ac:5a cn1Label=vlan cn1=0 externalId=852082 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852082 dmac=00:09:0f:33:4f:48 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852114.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 14:59:08 UTC dvc=10.201.78.194 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=50396 dvc=10.100.25.16 smac=00:00:0c:07:ac:c8 cn1Label=vlan cn1=0 externalId=852114 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852114 dmac=88:43:e1:95:13:29 cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-852295.alert: CEF:0|FireEye|CMS|7.2.1.244420|DM|domain-match|1|rt=Feb 09 2015 16:30:40 UTC dvc=10.201.78.51 cn3Label=cncPort cn3=53 cn2Label=sid cn2=80494706 shost=dev001srv02.example.com proto=udp cs5Label=cncHost cs5=mfdclk001.org dvchost=DEVFEYE1 spt=60266 dvc=10.100.25.16 smac=00:00:0c:07:ac:63 cn1Label=vlan cn1=0 externalId=852295 cs4Label=link cs4=https://DEVCMS01.example.com/event_stream/events_for_bot?ev_id\=852295 dmac=5c:5e:ab:eb:ab:0d cs1Label=sname cs1=Trojan.Generic.DNS +<164>fenotify-3483807.2.alert: z0Q6RNzwu2BoLSVUhiBihE4z0mlPDacuE1Waqs86Z9VVYg6iM2MlFH8GZgagnlOuzfB2JHdKPc/GwnzFk5DPfUPJAe8DH9Y6hwohv0t6XFVWx5UDSGARW8w3GAop9R+9iaSCuomuLU26/gaqL4gfjZqjLHzoDx+vhOCiOP6RnGMio5v2kcKxitPL7pPVu5FJ6MwUG7QOLecwONRzQsFh/jXFT4gyR2iS/EbufAeRofQVZHsj9dhgHZKNLcsFPnw/8lWlvgku7s28l57lAGxtp99jkzYD58jPgBm1nGbJPubFTL47ZmBkPPNsc1XjRcNvPz5/nzb0eWctXZ2cKocAQnT2zHOgBxRM6my9QW/Lg0JWaQyqBO2EOyTfej6KgVlHoIf0E3bv6C5PgVrJunAIqqlO6EvKvILlDYk2yoklvP3Fry5p4Nrw2isE95Used9Zqsoxx0bWInNcfyQhoqqlmYKiZZb+aBwGvJEL634pmoTMEBMdn4s3gz2a7aLV+vOVULQbgR15PygsYQdOnymv7uWZtdKOp7ut21GwNu9ZxJGMrssW0gzvaZiZDs7FSordVPUiUqcfS6ciU1cl29fNTWnmRkq4vk+vBgvUQLxTTAleV9k5svtB237GvvolWE72ugJQXUun51WxAqOAZpV0c6tEbK5qd6Z55z8Rs/LpN8VM4/nbZmfB5XY+eCCLfULjisVoStUUeH67&report\=p509XA27GEFLLes0RJ8pJJdIkbJ+3YkVUv2qjhuxlRPlVrrEZckeXFIaD+4/a1xulR8kKMx9GrPD2uc/wC+NxgKg/ok/kttHH45shX4YjPLsS4QtXUHugcE5Rr1238CYegHwOKWzAp3g5Mpt7loabRTBtmzXXeLBV4cFKv3zWpxQ7+CBGpsDfsvkD2Qgst3FX05VQHBpnJfXgRqdRrLyUjezF1tlIgvvNCv6hQ+zffxKk0WcDoUe8 +<164>fenotify-3483794.2.alert: 53 Safari/537.36::~~Host: 5aqobwcp1xuqztwht.0eq0w6k.com::~~Connection: Keep-Alive::~~::~~GET /93ea73bcdaf32d5074e62be84ee83a84cacefa8dcf855c265457842d6b05f469863ca7110d3cc7cc055f8d686a1b5d5c30db85c5423620e6bd231d592266782cf5e1647ae575e77b HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: 5aqobwcp1xuqztwht.0eq0w6k.com::~~Connection: Keep-Alive::~~::~~GET /93ea73bcdaf32d5074e62be84ee83a84cacefa8dcf855c265457842d6b05f469863ca7110d3cc7cc055f8d686a1b5d5c30db85c5423620e6bd231d592266782cf5e1647ae575e77b HTTP/1.1::~~Accept: */*::~~Proxy-Authorization: Basic ::~~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: 5aqobwcp1xuqztwht.0eq0w6k.com::~~Connection: Keep-Alive::~~::~~GET /93ea73bcdaf32d5074e62be84ee83a84cacefa8dcf855c265457842d6b05f469863ca711 +<164>fenotify-3483799.2.alert: L, like Gecko) Chrome/35.0.1916.153 Safari/537.36::~~Host: pkeyqcot5gzamu.5t9dyvo2.com::~~Connection: Keep-Alive::~~::~~ cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=FE_PUP_Softpulse;FE_Evasion_VMDetect;FE_Evasion_DBGDetect_Files;FE_Evasion_Sandboxie +<164>fenotify-3483807.3.alert: n6o4JWRQX2V1jsLkx8LFQz3nXe7Bbiuuc1sMcdS/lEv7f9zpw09qs0LvVpRJe4tZjE4Gsghh7Xh5OAxE2A7HBLnWjloIazv6jvun+R1BpF1vuujyEdDgKWIv4BeMmQQJ6p66O/U0jHvWelTBMT+RTVFERsryrpWE+g7AHeRyzDIERgWxHxzA9y6cQ9JYp2/JOPdUzWnLWM24Be6fWmlJ37J90GuEvHh+WXWsaewcBg8xUAhlQBfEHP01PGcuX2yJin2rQ8/GhkiF210HCJUCIbxxz6rZuf6CaksKSXPIeXf1Iifha58Rtm cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=Malware.Binary \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/ISESampleOutput b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/ISESampleOutput index 1a73c1f0d7..1cb0678dc8 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/ISESampleOutput +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/ISESampleOutput @@ -1,19 +1,19 @@ -Aug 6 17:26:31 10.34.84.145 Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024855 1 0 2014-08-07 00:45:43.741 -07:00 0000288542 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, EndpointOUI=Wistron InfoComm(Kunshan)Co.\,Ltd., EndpointPolicy=Nortel-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,PolicyVersion=402\,IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=10\,BYODRegistration=Unknown\,FeedService=false\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407397543718\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,TimeToProfile=19\,StaticGroupAssignment=false\,NmapSubnetScanID=0\,DeviceRegistrationStatus=NotRegistered\,PortalUser=, EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com, -Aug 6 17:26:31 10.34.84.145 Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024856 1 0 2014-08-07 00:45:43.786 -07:00 0000288543 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, EndpointOUI=Wistron InfoComm(Kunshan)Co.\,Ltd., EndpointPolicy=Nortel-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,BYODRegistration=Unknown\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407397543718\,TimeToProfile=19\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,UpdateTime=0\,PolicyVersion=402\,IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=10\,FeedService=false\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,NmapScanCount=0\,NmapSubnetScanID=0\,PortalUser=, EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com, -Aug 6 20:00:52 10.42.7.64 Aug 7 03:20:05 npf-sjca-pdp02 CISE_Profiler 0000373185 1 0 2014-08-07 03:20:05.549 -07:00 0011310202 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=90, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Windows7-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Windows7-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HEXAMPLE\,BYODRegistration=Unknown\,EndPointPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407394245820\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=90\,FeedService=false\,MatchedPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=Mozilla/5.0 (Windows NT 6.1\\\; WOW64\\ rv:30.0) Gecko/20100101 Firefox/30.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf.example.com, -Aug 6 21:00:48 10.42.7.64 Aug 7 04:20:00 npf-sjca-pdp02 CISE_Profiler 0000373902 1 0 2014-08-07 04:20:00.983 -07:00 0011322557 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=30, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HEXAMPLE\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407406806572\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=30\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf.example.com, -Aug 6 22:22:50 10.42.7.64 Aug 7 05:42:03 npf-sjca-pdp02 CISE_Profiler 0000374846 1 0 2014-08-07 05:42:03.617 -07:00 0011340138 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=10, EndpointMacAddress=68:A8:6D:4E:0D:86, EndpointMatchedPolicy=Apple-Device, EndpointOUI=Apple, EndpointPolicy=Apple-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,host-name=PEXAMPLE\,BYODRegistration=Unknown\,EndPointPolicyID=377d8ba0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407415322895\,TimeToProfile=717\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,PolicyVersion=403\,IdentityGroupID=abbbcac0-89e6-11e1-bf14-005056aa4dd7\,Total Certainty Factor=10\,ciaddr=0.0.0.0\,FeedService=false\,dhcp-parameter-request-list=1\, 3\, 6\, 15\, 119\, 95\, 252\, 44\, 46\,MatchedPolicyID=377d8ba0-68a6-11e1-bc72-0050568e013c\,NmapSubnetScanID=0\,PortalUser=, EndpointSourceEvent=DHCP Probe, EndpointIdentityGroup=Apple-Device, ProfilerServer=npf.example.com, -Aug 6 23:30:10 10.42.7.64 Aug 7 06:49:23 npf-sjca-pdp02 CISE_Profiler 0000375603 1 0 2014-08-07 06:49:23.920 -07:00 0011353768 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=90, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Windows7-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Windows7-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HEXAMPLE\,BYODRegistration=Unknown\,EndPointPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407410402099\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=90\,FeedService=false\,MatchedPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=Mozilla/5.0 (Windows NT 6.1\\\; WOW64\\ rv:30.0) Gecko/20100101 Firefox/30.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf.example.com, -Aug 6 23:30:48 10.42.7.64 Aug 7 06:50:01 npf-sjca-pdp02 CISE_Profiler 0000375611 1 0 2014-08-07 06:50:01.377 -07:00 0011353875 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=50, EndpointIPAddress=10.34.92.103, EndpointMacAddress=3C:A9:F4:29:FC:3C, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.34.76.212, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-29-fc-3c\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=EXAMPLE\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406109860322\,L4_DST_PORT=50428\,TimeToProfile=7\,Framed-IP-Address=10.34.92.103\,LastNmapScanTime=1380758278898\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1406686034558\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=50\,operating-system=Microsoft Windows Vista SP0 - SP2\, Server 2008\, or Windows 7 Ultimate\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1373657280926\,NmapScanCount=3\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf.example.com, -Aug 6 23:32:52 10.42.7.64 Aug 7 06:52:05 npf-sjca-pdp02 CISE_Profiler 0000375636 1 0 2014-08-07 06:52:05.272 -07:00 0011354313 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=30, EndpointIPAddress=10.56.129.143, EndpointMacAddress=E8:2A:EA:23:5E:3D, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=e8-2a-ea-23-5e-3d\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=ANOY-WS01\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406114784910\,TimeToProfile=7\,Framed-IP-Address=10.56.129.143\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407395211208\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=30\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1405408515121\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf.example.com, +Aug 6 17:26:31 10.34.84.145 Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024855 1 0 2014-08-07 00:45:43.741 -07:00 0000288542 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, EndpointOUI=Wistron InfoComm(Kunshan)Co.\,Ltd., EndpointPolicy=Nortel-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,PolicyVersion=402\,IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=10\,BYODRegistration=Unknown\,FeedService=false\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407397543718\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,TimeToProfile=19\,StaticGroupAssignment=false\,NmapSubnetScanID=0\,DeviceRegistrationStatus=NotRegistered\,PortalUser=, EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com, +Aug 6 17:26:31 10.34.84.145 Aug 7 00:45:43 stage-pdp01 CISE_Profiler 0000024856 1 0 2014-08-07 00:45:43.786 -07:00 0000288543 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=113, EndpointCertainityMetric=10, EndpointIPAddress=10.56.111.14, EndpointMacAddress=3C:97:0E:C3:F8:F1, EndpointMatchedPolicy=Nortel-Device, EndpointNADAddress=10.56.72.127, EndpointOUI=Wistron InfoComm(Kunshan)Co.\,Ltd., EndpointPolicy=Nortel-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,BYODRegistration=Unknown\,EndPointPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407397543718\,TimeToProfile=19\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,UpdateTime=0\,PolicyVersion=402\,IdentityGroupID=0c1d9270-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=10\,FeedService=false\,MatchedPolicyID=49054ed0-68a6-11e1-bc72-0050568e013c\,NmapScanCount=0\,NmapSubnetScanID=0\,PortalUser=, EndpointSourceEvent=SNMPQuery Probe, EndpointIdentityGroup=Profiled, ProfilerServer=stage-pdp01.cisco.com, +Aug 6 20:00:52 10.42.7.64 Aug 7 03:20:05 npf-sjca-pdp02 CISE_Profiler 0000373185 1 0 2014-08-07 03:20:05.549 -07:00 0011310202 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=90, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Windows7-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Windows7-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HASSI-WS03\,BYODRegistration=Unknown\,EndPointPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407394245820\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=90\,FeedService=false\,MatchedPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=Mozilla/5.0 (Windows NT 6.1\\\; WOW64\\ rv:30.0) Gecko/20100101 Firefox/30.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf-sjca-pdp02.cisco.com, +Aug 6 21:00:48 10.42.7.64 Aug 7 04:20:00 npf-sjca-pdp02 CISE_Profiler 0000373902 1 0 2014-08-07 04:20:00.983 -07:00 0011322557 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=30, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HASSI-WS03\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407406806572\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=30\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf-sjca-pdp02.cisco.com, +Aug 6 22:22:50 10.42.7.64 Aug 7 05:42:03 npf-sjca-pdp02 CISE_Profiler 0000374846 1 0 2014-08-07 05:42:03.617 -07:00 0011340138 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=10, EndpointMacAddress=68:A8:6D:4E:0D:86, EndpointMatchedPolicy=Apple-Device, EndpointOUI=Apple, EndpointPolicy=Apple-Device, EndpointProperty=StaticAssignment=false\,PostureApplicable=Yes\,host-name=PGIANG-M-306R\,BYODRegistration=Unknown\,EndPointPolicyID=377d8ba0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1407415322895\,TimeToProfile=717\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,PolicyVersion=403\,IdentityGroupID=abbbcac0-89e6-11e1-bf14-005056aa4dd7\,Total Certainty Factor=10\,ciaddr=0.0.0.0\,FeedService=false\,dhcp-parameter-request-list=1\, 3\, 6\, 15\, 119\, 95\, 252\, 44\, 46\,MatchedPolicyID=377d8ba0-68a6-11e1-bc72-0050568e013c\,NmapSubnetScanID=0\,PortalUser=, EndpointSourceEvent=DHCP Probe, EndpointIdentityGroup=Apple-Device, ProfilerServer=npf-sjca-pdp02.cisco.com, +Aug 6 23:30:10 10.42.7.64 Aug 7 06:49:23 npf-sjca-pdp02 CISE_Profiler 0000375603 1 0 2014-08-07 06:49:23.920 -07:00 0011353768 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=90, EndpointIPAddress=10.56.129.142, EndpointMacAddress=3C:A9:F4:46:75:CC, EndpointMatchedPolicy=Windows7-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Windows7-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-46-75-cc\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=HASSI-WS03\,BYODRegistration=Unknown\,EndPointPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406112353750\,TimeToProfile=11\,Framed-IP-Address=10.56.129.142\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407410402099\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=90\,FeedService=false\,MatchedPolicyID=615ed410-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1394526689397\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=Mozilla/5.0 (Windows NT 6.1\\\; WOW64\\ rv:30.0) Gecko/20100101 Firefox/30.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf-sjca-pdp02.cisco.com, +Aug 6 23:30:48 10.42.7.64 Aug 7 06:50:01 npf-sjca-pdp02 CISE_Profiler 0000375611 1 0 2014-08-07 06:50:01.377 -07:00 0011353875 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=50, EndpointIPAddress=10.34.92.103, EndpointMacAddress=3C:A9:F4:29:FC:3C, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.34.76.212, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=3c-a9-f4-29-fc-3c\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=AMIBASU-WS01\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406109860322\,L4_DST_PORT=50428\,TimeToProfile=7\,Framed-IP-Address=10.34.92.103\,LastNmapScanTime=1380758278898\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1406686034558\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=50\,operating-system=Microsoft Windows Vista SP0 - SP2\, Server 2008\, or Windows 7 Ultimate\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1373657280926\,NmapScanCount=3\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf-sjca-pdp02.cisco.com, +Aug 6 23:32:52 10.42.7.64 Aug 7 06:52:05 npf-sjca-pdp02 CISE_Profiler 0000375636 1 0 2014-08-07 06:52:05.272 -07:00 0011354313 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=241, EndpointCertainityMetric=30, EndpointIPAddress=10.56.129.143, EndpointMacAddress=E8:2A:EA:23:5E:3D, EndpointMatchedPolicy=Microsoft-Workstation, EndpointNADAddress=10.56.129.4, EndpointOUI=Intel Corporate, EndpointPolicy=Microsoft-Workstation, EndpointProperty=StaticAssignment=false\,Calling-Station-ID=e8-2a-ea-23-5e-3d\,Device Identifier=\,PostureApplicable=Yes\,dhcp-class-identifier=MSFT 5.0\,host-name=ANOY-WS01\,BYODRegistration=Unknown\,EndPointPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,FirstCollection=1406114784910\,TimeToProfile=7\,Framed-IP-Address=10.56.129.143\,LastNmapScanTime=0\,StaticGroupAssignment=false\,DeviceRegistrationStatus=NotRegistered\,NAS-Port-Type=Wireless - IEEE 802.11\,RegistrationTimeStamp=0\,UpdateTime=1407395211208\,PolicyVersion=403\,IdentityGroupID=5cb39b80-68a6-11e1-bc72-0050568e013c\,Total Certainty Factor=30\,FeedService=false\,MatchedPolicyID=5f4a24e0-68a6-11e1-bc72-0050568e013c\,DestinationIPAddress=10.42.7.64\,CreateTime=1405408515121\,NmapScanCount=0\,NmapSubnetScanID=0\,AAA-Server=npf-sjca-pdp02\,PortalUser=, EndpointSourceEvent=RADIUS Probe, EndpointUserAgent=MS-WebServices/1.0, EndpointIdentityGroup=Workstation, ProfilerServer=npf-sjca-pdp02.cisco.com, Aug 6 16:40:52 10.42.7.64 Aug 7 00:00:04 npf-sjca-pdp02 CISE_Failed_Attempts 0000370855 1 0 2014-08-07 00:00:04.527 -07:00 0011266584 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270932, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056EF53E323F4, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_Failed_Attempts 0001969834 1 0 2014-08-07 00:00:09.568 -07:00 0098648519 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2084839, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4A53E323F9, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:41:24 10.34.84.145 Aug 7 00:00:36 stage-pdp01 CISE_Failed_Attempts 0000024616 1 0 2014-08-07 00:00:36.332 -07:00 0000287007 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19317, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:26 10.34.84.145 Aug 7 00:00:38 stage-pdp01 CISE_Failed_Attempts 0000024617 1 0 2014-08-07 00:00:38.336 -07:00 0000287011 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19318, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:28 10.34.84.145 Aug 7 00:00:40 stage-pdp01 CISE_Failed_Attempts 0000024618 1 0 2014-08-07 00:00:40.336 -07:00 0000287015 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19319, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:30 10.34.84.145 Aug 7 00:00:42 stage-pdp01 CISE_Failed_Attempts 0000024619 1 0 2014-08-07 00:00:42.340 -07:00 0000287019 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19320, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:32 10.34.84.145 Aug 7 00:00:44 stage-pdp01 CISE_Failed_Attempts 0000024620 1 0 2014-08-07 00:00:44.340 -07:00 0000287023 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19321, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:34 10.34.84.145 Aug 7 00:00:46 stage-pdp01 CISE_Failed_Attempts 0000024621 1 0 2014-08-07 00:00:46.344 -07:00 0000287027 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19322, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:24 10.34.84.145 Aug 7 00:00:36 stage-pdp01 CISE_Failed_Attempts 0000024616 1 0 2014-08-07 00:00:36.332 -07:00 0000287007 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19317, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:26 10.34.84.145 Aug 7 00:00:38 stage-pdp01 CISE_Failed_Attempts 0000024617 1 0 2014-08-07 00:00:38.336 -07:00 0000287011 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19318, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:28 10.34.84.145 Aug 7 00:00:40 stage-pdp01 CISE_Failed_Attempts 0000024618 1 0 2014-08-07 00:00:40.336 -07:00 0000287015 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19319, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:30 10.34.84.145 Aug 7 00:00:42 stage-pdp01 CISE_Failed_Attempts 0000024619 1 0 2014-08-07 00:00:42.340 -07:00 0000287019 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19320, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:32 10.34.84.145 Aug 7 00:00:44 stage-pdp01 CISE_Failed_Attempts 0000024620 1 0 2014-08-07 00:00:44.340 -07:00 0000287023 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19321, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:34 10.34.84.145 Aug 7 00:00:46 stage-pdp01 CISE_Failed_Attempts 0000024621 1 0 2014-08-07 00:00:46.344 -07:00 0000287027 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19322, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:42:02 10.42.7.64 Aug 7 00:01:14 npf-sjca-pdp02 CISE_Failed_Attempts 0000370865 1 0 2014-08-07 00:01:14.610 -07:00 0011266810 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=7, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270940, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F053E3243A, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:42:07 10.42.7.63 Aug 7 00:01:19 npf-sjca-pdp01 CISE_Failed_Attempts 0001969923 1 0 2014-08-07 00:01:19.665 -07:00 0098652715 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2084986, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4B53E3243F, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:42:12 10.42.7.64 Aug 7 00:01:24 npf-sjca-pdp02 CISE_Failed_Attempts 0000370867 1 0 2014-08-07 00:01:24.701 -07:00 0011266815 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270941, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F153E32444, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, @@ -21,30 +21,30 @@ Aug 6 16:42:17 10.42.7.63 Aug 7 00:01:29 npf-sjca-pdp01 CISE_Failed_Attempts 0 Aug 6 16:43:22 10.42.7.64 Aug 7 00:02:34 npf-sjca-pdp02 CISE_Failed_Attempts 0000370885 1 0 2014-08-07 00:02:34.792 -07:00 0011267367 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=4, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270956, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F353E3248A, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:43:27 10.42.7.63 Aug 7 00:02:39 npf-sjca-pdp01 CISE_Failed_Attempts 0001970043 1 0 2014-08-07 00:02:39.808 -07:00 0098657578 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085161, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4D53E3248F, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:43:56 10.42.7.64 Aug 7 00:03:08 npf-sjca-pdp02 CISE_Failed_Attempts 0000370897 1 0 2014-08-07 00:03:08.902 -07:00 0011267657 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=240, Device IP Address=10.56.129.4, Device Port=32770, DestinationIPAddress=10.42.7.64, DestinationPort=1813, RadiusPacketType=AccountingRequest, UserName=yshchory, Protocol=Radius, RequestLatency=49, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Framed-IP-Address=10.56.129.141, Class=CACS:0a388104000045cd53e2be75:npf-sjca-pdp02/195481465/270958, Called-Station-ID=6c-41-6a-5f-6e-c0, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=2359603, Acct-Output-Octets=26928466, Acct-Session-Id=53e2be78/90:18:7c:7b:59:01/13844, Acct-Authentic=RADIUS, Acct-Session-Time=1466, Acct-Input-Packets=14866, Acct-Output-Packets=23043, undefined-52= -Aug 6 16:44:01 10.42.7.63 Aug 7 00:03:13 npf-sjca-pdp01 CISE_Failed_Attempts 0001970072 1 0 2014-08-07 00:03:13.112 -07:00 0098658804 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=133, Device IP Address=10.56.72.127, Device Port=1646, DestinationIPAddress=10.42.7.63, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=10.56.111.14, Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270957, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=4, Acct-Input-Octets=225395, Acct-Output-Octets=761436, Acct-Session-Id=00000560, Acct-Authentic=RADIUS, Acct-Session-Time=43, Acct-Input-Packets=1163, Acct-Output-Packets=1080, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, undefined-151=F54C88B0, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=npf-sjca-pdp01/195491152/2085221, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5435, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0A38487F00000397BDA7BCAC, TotalFailedAttempts=2, TotalFailedTime=42, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, +Aug 6 16:44:01 10.42.7.63 Aug 7 00:03:13 npf-sjca-pdp01 CISE_Failed_Attempts 0001970072 1 0 2014-08-07 00:03:13.112 -07:00 0098658804 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=133, Device IP Address=10.56.72.127, Device Port=1646, DestinationIPAddress=10.42.7.63, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=10.56.111.14, Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270957, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=4, Acct-Input-Octets=225395, Acct-Output-Octets=761436, Acct-Session-Id=00000560, Acct-Authentic=RADIUS, Acct-Session-Time=43, Acct-Input-Packets=1163, Acct-Output-Packets=1080, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, undefined-151=F54C88B0, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=npf-sjca-pdp01/195491152/2085221, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5435, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0A38487F00000397BDA7BCAC, TotalFailedAttempts=2, TotalFailedTime=42, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Aug 6 16:44:32 10.42.7.64 Aug 7 00:03:44 npf-sjca-pdp02 CISE_Failed_Attempts 0000370899 1 0 2014-08-07 00:03:44.851 -07:00 0011267663 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=7, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270963, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F453E324D0, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:44:36 10.34.84.145 Aug 7 00:03:48 stage-pdp01 CISE_Failed_Attempts 0000024632 1 0 2014-08-07 00:03:48.375 -07:00 0000287084 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19329, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:36 10.34.84.145 Aug 7 00:03:48 stage-pdp01 CISE_Failed_Attempts 0000024632 1 0 2014-08-07 00:03:48.375 -07:00 0000287084 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19329, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:44:37 10.42.7.63 Aug 7 00:03:49 npf-sjca-pdp01 CISE_Failed_Attempts 0001970128 1 0 2014-08-07 00:03:49.893 -07:00 0098661643 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085307, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4E53E324D5, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:44:38 10.34.84.145 Aug 7 00:03:50 stage-pdp01 CISE_Failed_Attempts 0000024633 1 0 2014-08-07 00:03:50.379 -07:00 0000287088 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19330, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:44:40 10.34.84.145 Aug 7 00:03:52 stage-pdp01 CISE_Failed_Attempts 0000024634 1 0 2014-08-07 00:03:52.379 -07:00 0000287092 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19331, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:44:42 10.34.84.145 Aug 7 00:03:54 stage-pdp01 CISE_Failed_Attempts 0000024635 1 0 2014-08-07 00:03:54.387 -07:00 0000287096 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19332, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:38 10.34.84.145 Aug 7 00:03:50 stage-pdp01 CISE_Failed_Attempts 0000024633 1 0 2014-08-07 00:03:50.379 -07:00 0000287088 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19330, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:40 10.34.84.145 Aug 7 00:03:52 stage-pdp01 CISE_Failed_Attempts 0000024634 1 0 2014-08-07 00:03:52.379 -07:00 0000287092 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19331, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:42 10.34.84.145 Aug 7 00:03:54 stage-pdp01 CISE_Failed_Attempts 0000024635 1 0 2014-08-07 00:03:54.387 -07:00 0000287096 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19332, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:44:42 10.42.7.64 Aug 7 00:03:54 npf-sjca-pdp02 CISE_Failed_Attempts 0000370903 1 0 2014-08-07 00:03:54.924 -07:00 0011267670 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=4, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270964, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F553E324DA, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:44:44 10.34.84.145 Aug 7 00:03:56 stage-pdp01 CISE_Failed_Attempts 0000024636 1 0 2014-08-07 00:03:56.386 -07:00 0000287100 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19333, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:44:46 10.34.84.145 Aug 7 00:03:58 stage-pdp01 CISE_Failed_Attempts 0000024637 1 0 2014-08-07 00:03:58.390 -07:00 0000287104 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19334, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:44 10.34.84.145 Aug 7 00:03:56 stage-pdp01 CISE_Failed_Attempts 0000024636 1 0 2014-08-07 00:03:56.386 -07:00 0000287100 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19333, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:44:46 10.34.84.145 Aug 7 00:03:58 stage-pdp01 CISE_Failed_Attempts 0000024637 1 0 2014-08-07 00:03:58.390 -07:00 0000287104 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19334, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:44:47 10.42.7.63 Aug 7 00:03:59 npf-sjca-pdp01 CISE_Failed_Attempts 0001970140 1 0 2014-08-07 00:03:59.951 -07:00 0098662310 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085331, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4F53E324DF, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:44:48 10.42.7.64 Aug 7 00:04:00 npf-sjca-pdp02 CISE_Failed_Attempts 0000370905 1 0 2014-08-07 00:04:00.526 -07:00 0011267674 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=240, Device IP Address=10.56.72.127, Device Port=1646, DestinationIPAddress=10.42.7.64, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=169.254.53.87, Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270957, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1458615, Acct-Output-Octets=3836368, Acct-Session-Id=00000560, Acct-Authentic=RADIUS, Acct-Session-Time=95, Acct-Input-Packets=4505, Acct-Output-Packets=5619, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, undefined-151=F54C88B0, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=npf-sjca-pdp02/195481465/270965, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5435, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0A38487F00000397BDA7BCAC, TotalFailedAttempts=2, TotalFailedTime=52, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, +Aug 6 16:44:48 10.42.7.64 Aug 7 00:04:00 npf-sjca-pdp02 CISE_Failed_Attempts 0000370905 1 0 2014-08-07 00:04:00.526 -07:00 0011267674 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=240, Device IP Address=10.56.72.127, Device Port=1646, DestinationIPAddress=10.42.7.64, DestinationPort=1813, Protocol=Radius, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=169.254.53.87, Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270957, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1458615, Acct-Output-Octets=3836368, Acct-Session-Id=00000560, Acct-Authentic=RADIUS, Acct-Session-Time=95, Acct-Input-Packets=4505, Acct-Output-Packets=5619, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, undefined-151=F54C88B0, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=npf-sjca-pdp02/195481465/270965, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5435, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0A38487F00000397BDA7BCAC, TotalFailedAttempts=2, TotalFailedTime=52, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Aug 6 16:45:52 10.42.7.64 Aug 7 00:05:04 npf-sjca-pdp02 CISE_Failed_Attempts 0000370920 1 0 2014-08-07 00:05:04.969 -07:00 0011267987 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=6, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270977, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F653E32520, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:45:58 10.42.7.63 Aug 7 00:05:09 npf-sjca-pdp01 CISE_Failed_Attempts 0001970212 1 0 2014-08-07 00:05:09.998 -07:00 0098665518 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085460, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5053E32525, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:47:03 10.42.7.64 Aug 7 00:06:15 npf-sjca-pdp02 CISE_Failed_Attempts 0000370931 1 0 2014-08-07 00:06:15.016 -07:00 0011268196 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270985, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F753E32567, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:47:08 10.42.7.63 Aug 7 00:06:20 npf-sjca-pdp01 CISE_Failed_Attempts 0001970324 1 0 2014-08-07 00:06:20.055 -07:00 0098669942 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085599, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5153E3256C, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:47:13 10.42.7.64 Aug 7 00:06:25 npf-sjca-pdp02 CISE_Failed_Attempts 0000370934 1 0 2014-08-07 00:06:25.097 -07:00 0011268209 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270987, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F853E32571, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:47:18 10.42.7.63 Aug 7 00:06:30 npf-sjca-pdp01 CISE_Failed_Attempts 0001970335 1 0 2014-08-07 00:06:30.119 -07:00 0098670037 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085618, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5253E32576, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:47:48 10.34.84.145 Aug 7 00:07:00 stage-pdp01 CISE_Failed_Attempts 0000024649 1 0 2014-08-07 00:07:00.418 -07:00 0000287210 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19342, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:47:50 10.34.84.145 Aug 7 00:07:02 stage-pdp01 CISE_Failed_Attempts 0000024650 1 0 2014-08-07 00:07:02.421 -07:00 0000287214 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19343, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:47:52 10.34.84.145 Aug 7 00:07:04 stage-pdp01 CISE_Failed_Attempts 0000024651 1 0 2014-08-07 00:07:04.425 -07:00 0000287218 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19344, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:47:54 10.34.84.145 Aug 7 00:07:06 stage-pdp01 CISE_Failed_Attempts 0000024652 1 0 2014-08-07 00:07:06.429 -07:00 0000287222 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19345, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:47:56 10.34.84.145 Aug 7 00:07:08 stage-pdp01 CISE_Failed_Attempts 0000024653 1 0 2014-08-07 00:07:08.429 -07:00 0000287226 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19346, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:47:58 10.34.84.145 Aug 7 00:07:10 stage-pdp01 CISE_Failed_Attempts 0000024654 1 0 2014-08-07 00:07:10.433 -07:00 0000287230 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19347, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:48 10.34.84.145 Aug 7 00:07:00 stage-pdp01 CISE_Failed_Attempts 0000024649 1 0 2014-08-07 00:07:00.418 -07:00 0000287210 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19342, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:50 10.34.84.145 Aug 7 00:07:02 stage-pdp01 CISE_Failed_Attempts 0000024650 1 0 2014-08-07 00:07:02.421 -07:00 0000287214 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19343, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:52 10.34.84.145 Aug 7 00:07:04 stage-pdp01 CISE_Failed_Attempts 0000024651 1 0 2014-08-07 00:07:04.425 -07:00 0000287218 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19344, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:54 10.34.84.145 Aug 7 00:07:06 stage-pdp01 CISE_Failed_Attempts 0000024652 1 0 2014-08-07 00:07:06.429 -07:00 0000287222 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19345, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:56 10.34.84.145 Aug 7 00:07:08 stage-pdp01 CISE_Failed_Attempts 0000024653 1 0 2014-08-07 00:07:08.429 -07:00 0000287226 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19346, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:47:58 10.34.84.145 Aug 7 00:07:10 stage-pdp01 CISE_Failed_Attempts 0000024654 1 0 2014-08-07 00:07:10.433 -07:00 0000287230 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19347, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:48:23 10.42.7.64 Aug 7 00:07:35 npf-sjca-pdp02 CISE_Failed_Attempts 0000370955 1 0 2014-08-07 00:07:35.138 -07:00 0011268472 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271001, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056F953E325B7, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:48:28 10.42.7.63 Aug 7 00:07:40 npf-sjca-pdp01 CISE_Failed_Attempts 0001970420 1 0 2014-08-07 00:07:40.178 -07:00 0098673462 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085757, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5353E325BC, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:49:33 10.42.7.64 Aug 7 00:08:45 npf-sjca-pdp02 CISE_Failed_Attempts 0000370984 1 0 2014-08-07 00:08:45.219 -07:00 0011269071 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271016, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056FB53E325FD, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, @@ -53,24 +53,24 @@ Aug 6 16:49:43 10.42.7.64 Aug 7 00:08:55 npf-sjca-pdp02 CISE_Failed_Attempts 0 Aug 6 16:49:48 10.42.7.63 Aug 7 00:09:00 npf-sjca-pdp01 CISE_Failed_Attempts 0001970524 1 0 2014-08-07 00:09:00.330 -07:00 0098678019 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2085909, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5553E3260C, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:50:53 10.42.7.64 Aug 7 00:10:05 npf-sjca-pdp02 CISE_Failed_Attempts 0000370999 1 0 2014-08-07 00:10:05.339 -07:00 0011269371 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271027, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056FD53E3264D, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:50:58 10.42.7.63 Aug 7 00:10:10 npf-sjca-pdp01 CISE_Failed_Attempts 0001970625 1 0 2014-08-07 00:10:10.388 -07:00 0098682297 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086061, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5653E32652, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:51:00 10.34.84.145 Aug 7 00:10:12 stage-pdp01 CISE_Failed_Attempts 0000024661 1 0 2014-08-07 00:10:12.492 -07:00 0000287258 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19354, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:51:02 10.34.84.145 Aug 7 00:10:14 stage-pdp01 CISE_Failed_Attempts 0000024662 1 0 2014-08-07 00:10:14.496 -07:00 0000287262 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19355, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:51:04 10.34.84.145 Aug 7 00:10:16 stage-pdp01 CISE_Failed_Attempts 0000024663 1 0 2014-08-07 00:10:16.496 -07:00 0000287266 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19356, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:51:06 10.34.84.145 Aug 7 00:10:18 stage-pdp01 CISE_Failed_Attempts 0000024664 1 0 2014-08-07 00:10:18.500 -07:00 0000287270 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19357, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:51:08 10.34.84.145 Aug 7 00:10:20 stage-pdp01 CISE_Failed_Attempts 0000024665 1 0 2014-08-07 00:10:20.504 -07:00 0000287274 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19358, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:51:10 10.34.84.145 Aug 7 00:10:22 stage-pdp01 CISE_Failed_Attempts 0000024667 1 0 2014-08-07 00:10:22.507 -07:00 0000287279 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19359, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:00 10.34.84.145 Aug 7 00:10:12 stage-pdp01 CISE_Failed_Attempts 0000024661 1 0 2014-08-07 00:10:12.492 -07:00 0000287258 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19354, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:02 10.34.84.145 Aug 7 00:10:14 stage-pdp01 CISE_Failed_Attempts 0000024662 1 0 2014-08-07 00:10:14.496 -07:00 0000287262 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19355, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:04 10.34.84.145 Aug 7 00:10:16 stage-pdp01 CISE_Failed_Attempts 0000024663 1 0 2014-08-07 00:10:16.496 -07:00 0000287266 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19356, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:06 10.34.84.145 Aug 7 00:10:18 stage-pdp01 CISE_Failed_Attempts 0000024664 1 0 2014-08-07 00:10:18.500 -07:00 0000287270 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19357, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:08 10.34.84.145 Aug 7 00:10:20 stage-pdp01 CISE_Failed_Attempts 0000024665 1 0 2014-08-07 00:10:20.504 -07:00 0000287274 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19358, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:51:10 10.34.84.145 Aug 7 00:10:22 stage-pdp01 CISE_Failed_Attempts 0000024667 1 0 2014-08-07 00:10:22.507 -07:00 0000287279 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19359, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:52:03 10.42.7.64 Aug 7 00:11:15 npf-sjca-pdp02 CISE_Failed_Attempts 0000371005 1 0 2014-08-07 00:11:15.432 -07:00 0011269421 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=4, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271031, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056FE53E32693, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:52:08 10.42.7.63 Aug 7 00:11:20 npf-sjca-pdp01 CISE_Failed_Attempts 0001970691 1 0 2014-08-07 00:11:20.468 -07:00 0098685176 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086181, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5753E32698, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:52:13 10.42.7.64 Aug 7 00:11:25 npf-sjca-pdp02 CISE_Failed_Attempts 0000371007 1 0 2014-08-07 00:11:25.515 -07:00 0011269426 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271032, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056FF53E3269D, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:52:18 10.42.7.63 Aug 7 00:11:30 npf-sjca-pdp01 CISE_Failed_Attempts 0001970708 1 0 2014-08-07 00:11:30.551 -07:00 0098685669 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086202, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5853E326A2, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:53:23 10.42.7.64 Aug 7 00:12:35 npf-sjca-pdp02 CISE_Failed_Attempts 0000371016 1 0 2014-08-07 00:12:35.547 -07:00 0011269586 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271040, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570053E326E3, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:53:28 10.42.7.63 Aug 7 00:12:40 npf-sjca-pdp01 CISE_Failed_Attempts 0001970802 1 0 2014-08-07 00:12:40.596 -07:00 0098689883 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086334, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5953E326E8, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:54:12 10.34.84.145 Aug 7 00:13:24 stage-pdp01 CISE_Failed_Attempts 0000024680 1 0 2014-08-07 00:13:24.527 -07:00 0000287388 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19368, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:54:14 10.34.84.145 Aug 7 00:13:26 stage-pdp01 CISE_Failed_Attempts 0000024681 1 0 2014-08-07 00:13:26.531 -07:00 0000287392 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19369, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:54:16 10.34.84.145 Aug 7 00:13:28 stage-pdp01 CISE_Failed_Attempts 0000024682 1 0 2014-08-07 00:13:28.534 -07:00 0000287396 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19370, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:54:18 10.34.84.145 Aug 7 00:13:30 stage-pdp01 CISE_Failed_Attempts 0000024683 1 0 2014-08-07 00:13:30.538 -07:00 0000287400 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19371, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:54:20 10.34.84.145 Aug 7 00:13:32 stage-pdp01 CISE_Failed_Attempts 0000024684 1 0 2014-08-07 00:13:32.538 -07:00 0000287404 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19372, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:54:22 10.34.84.145 Aug 7 00:13:34 stage-pdp01 CISE_Failed_Attempts 0000024685 1 0 2014-08-07 00:13:34.542 -07:00 0000287408 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19373, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:12 10.34.84.145 Aug 7 00:13:24 stage-pdp01 CISE_Failed_Attempts 0000024680 1 0 2014-08-07 00:13:24.527 -07:00 0000287388 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19368, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:14 10.34.84.145 Aug 7 00:13:26 stage-pdp01 CISE_Failed_Attempts 0000024681 1 0 2014-08-07 00:13:26.531 -07:00 0000287392 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19369, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:16 10.34.84.145 Aug 7 00:13:28 stage-pdp01 CISE_Failed_Attempts 0000024682 1 0 2014-08-07 00:13:28.534 -07:00 0000287396 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19370, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:18 10.34.84.145 Aug 7 00:13:30 stage-pdp01 CISE_Failed_Attempts 0000024683 1 0 2014-08-07 00:13:30.538 -07:00 0000287400 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19371, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:20 10.34.84.145 Aug 7 00:13:32 stage-pdp01 CISE_Failed_Attempts 0000024684 1 0 2014-08-07 00:13:32.538 -07:00 0000287404 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19372, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:54:22 10.34.84.145 Aug 7 00:13:34 stage-pdp01 CISE_Failed_Attempts 0000024685 1 0 2014-08-07 00:13:34.542 -07:00 0000287408 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19373, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:54:33 10.42.7.64 Aug 7 00:13:45 npf-sjca-pdp02 CISE_Failed_Attempts 0000371020 1 0 2014-08-07 00:13:45.628 -07:00 0011269631 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271044, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570153E32729, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:54:38 10.42.7.63 Aug 7 00:13:50 npf-sjca-pdp01 CISE_Failed_Attempts 0001970913 1 0 2014-08-07 00:13:50.668 -07:00 0098695334 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086486, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5A53E3272E, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:54:43 10.42.7.64 Aug 7 00:13:55 npf-sjca-pdp02 CISE_Failed_Attempts 0000371025 1 0 2014-08-07 00:13:55.694 -07:00 0011269740 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=7, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271048, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570253E32733, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, @@ -79,136 +79,136 @@ Aug 6 16:55:53 10.42.7.64 Aug 7 00:15:05 npf-sjca-pdp02 CISE_Failed_Attempts 0 Aug 6 16:55:58 10.42.7.63 Aug 7 00:15:10 npf-sjca-pdp01 CISE_Failed_Attempts 0001970997 1 0 2014-08-07 00:15:10.772 -07:00 0098698954 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086621, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5C53E3277E, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:57:03 10.42.7.64 Aug 7 00:16:15 npf-sjca-pdp02 CISE_Failed_Attempts 0000371051 1 0 2014-08-07 00:16:15.827 -07:00 0011270497 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=6, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271067, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570453E327BF, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:57:08 10.42.7.63 Aug 7 00:16:20 npf-sjca-pdp01 CISE_Failed_Attempts 0001971096 1 0 2014-08-07 00:16:20.857 -07:00 0098703837 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086806, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5D53E327C4, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:57:24 10.34.84.145 Aug 7 00:16:36 stage-pdp01 CISE_Failed_Attempts 0000024697 1 0 2014-08-07 00:16:36.602 -07:00 0000287553 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19384, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:57:26 10.34.84.145 Aug 7 00:16:38 stage-pdp01 CISE_Failed_Attempts 0000024698 1 0 2014-08-07 00:16:38.605 -07:00 0000287557 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19385, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:57:28 10.34.84.145 Aug 7 00:16:40 stage-pdp01 CISE_Failed_Attempts 0000024699 1 0 2014-08-07 00:16:40.609 -07:00 0000287561 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19386, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:57:30 10.34.84.145 Aug 7 00:16:42 stage-pdp01 CISE_Failed_Attempts 0000024700 1 0 2014-08-07 00:16:42.613 -07:00 0000287565 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19387, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:57:32 10.34.84.145 Aug 7 00:16:44 stage-pdp01 CISE_Failed_Attempts 0000024701 1 0 2014-08-07 00:16:44.613 -07:00 0000287569 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19388, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:57:34 10.34.84.145 Aug 7 00:16:46 stage-pdp01 CISE_Failed_Attempts 0000024702 1 0 2014-08-07 00:16:46.617 -07:00 0000287573 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19389, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:24 10.34.84.145 Aug 7 00:16:36 stage-pdp01 CISE_Failed_Attempts 0000024697 1 0 2014-08-07 00:16:36.602 -07:00 0000287553 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19384, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:26 10.34.84.145 Aug 7 00:16:38 stage-pdp01 CISE_Failed_Attempts 0000024698 1 0 2014-08-07 00:16:38.605 -07:00 0000287557 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19385, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:28 10.34.84.145 Aug 7 00:16:40 stage-pdp01 CISE_Failed_Attempts 0000024699 1 0 2014-08-07 00:16:40.609 -07:00 0000287561 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19386, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:30 10.34.84.145 Aug 7 00:16:42 stage-pdp01 CISE_Failed_Attempts 0000024700 1 0 2014-08-07 00:16:42.613 -07:00 0000287565 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19387, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:32 10.34.84.145 Aug 7 00:16:44 stage-pdp01 CISE_Failed_Attempts 0000024701 1 0 2014-08-07 00:16:44.613 -07:00 0000287569 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19388, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:57:34 10.34.84.145 Aug 7 00:16:46 stage-pdp01 CISE_Failed_Attempts 0000024702 1 0 2014-08-07 00:16:46.617 -07:00 0000287573 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19389, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:58:03 10.42.7.64 Aug 7 00:17:15 npf-sjca-pdp02 CISE_Failed_Attempts 0000371063 1 0 2014-08-07 00:17:15.966 -07:00 0011270832 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario, ConfigVersionId=240, Device IP Address=10.34.76.212, Device Port=32770, DestinationIPAddress=10.42.7.64, DestinationPort=1813, RadiusPacketType=AccountingRequest, UserName=hslai, Protocol=Radius, RequestLatency=25, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=hslai, NAS-IP-Address=10.34.76.212, NAS-Port=1, Framed-IP-Address=10.34.94.11, Class=CACS:0a224cd40002fdf953e327f2:npf-sjca-pdp02/195481465/271072, Called-Station-ID=88-43-e1-62-1d-20, Calling-Station-ID=24-a2-e1-3b-4b-cb, NAS-Identifier=sjcm-00a-npf-wlc1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=5198, Acct-Output-Octets=4093, Acct-Session-Id=53e327f2/24:a2:e1:3b:4b:cb/174403, Acct-Authentic=RADIUS, Acct-Session-Time=9, Acct-Input-Packets=37, Acct-Output-Packets=13, undefined-52= Aug 6 16:58:13 10.42.7.64 Aug 7 00:17:25 npf-sjca-pdp02 CISE_Failed_Attempts 0000371065 1 0 2014-08-07 00:17:25.902 -07:00 0011270838 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=4, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271076, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570553E32805, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:58:18 10.42.7.63 Aug 7 00:17:30 npf-sjca-pdp01 CISE_Failed_Attempts 0001971204 1 0 2014-08-07 00:17:30.916 -07:00 0098707928 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2086981, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5E53E3280A, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:59:23 10.42.7.64 Aug 7 00:18:35 npf-sjca-pdp02 CISE_Failed_Attempts 0000371070 1 0 2014-08-07 00:18:35.942 -07:00 0011271044 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271081, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570653E3284B, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:59:28 10.42.7.64 Aug 7 00:18:40 npf-sjca-pdp02 CISE_Failed_Attempts 0000371072 1 0 2014-08-07 00:18:40.669 -07:00 0011271053 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=240, Device IP Address=10.56.129.4, Device Port=32770, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=istern, Protocol=Radius, RequestLatency=12, NetworkDeviceName=NTN-WLC1, User-Name=istern, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045de53e2c750\;41SessionID=npf-sjca-pdp02/195481465/271077\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_example, Calling-Station-ID=f0-27-65-48-8c-8f, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:59:28 10.42.7.64 Aug 7 00:18:40 npf-sjca-pdp02 CISE_Failed_Attempts 0000371072 1 0 2014-08-07 00:18:40.669 -07:00 0011271053 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=240, Device IP Address=10.56.129.4, Device Port=32770, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=istern, Protocol=Radius, RequestLatency=12, NetworkDeviceName=NTN-WLC1, User-Name=istern, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045de53e2c750\;41SessionID=npf-sjca-pdp02/195481465/271077\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_byod, Calling-Station-ID=f0-27-65-48-8c-8f, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:59:28 10.42.7.63 Aug 7 00:18:40 npf-sjca-pdp01 CISE_Failed_Attempts 0001971282 1 0 2014-08-07 00:18:40.981 -07:00 0098711291 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2087140, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D5F53E32850, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 17:00:33 10.42.7.64 Aug 7 00:19:46 npf-sjca-pdp02 CISE_Failed_Attempts 0000371080 1 0 2014-08-07 00:19:46.020 -07:00 0011271232 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271087, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570753E32892, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 17:00:36 10.34.84.145 Aug 7 00:19:48 stage-pdp01 CISE_Failed_Attempts 0000024712 1 0 2014-08-07 00:19:48.660 -07:00 0000287604 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19396, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:00:38 10.34.84.145 Aug 7 00:19:50 stage-pdp01 CISE_Failed_Attempts 0000024713 1 0 2014-08-07 00:19:50.664 -07:00 0000287608 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19397, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:36 10.34.84.145 Aug 7 00:19:48 stage-pdp01 CISE_Failed_Attempts 0000024712 1 0 2014-08-07 00:19:48.660 -07:00 0000287604 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19396, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:38 10.34.84.145 Aug 7 00:19:50 stage-pdp01 CISE_Failed_Attempts 0000024713 1 0 2014-08-07 00:19:50.664 -07:00 0000287608 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19397, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 17:00:39 10.42.7.63 Aug 7 00:19:51 npf-sjca-pdp01 CISE_Failed_Attempts 0001971393 1 0 2014-08-07 00:19:51.042 -07:00 0098716185 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2087311, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D6053E32897, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 17:00:40 10.34.84.145 Aug 7 00:19:52 stage-pdp01 CISE_Failed_Attempts 0000024714 1 0 2014-08-07 00:19:52.664 -07:00 0000287612 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19398, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:00:42 10.34.84.145 Aug 7 00:19:54 stage-pdp01 CISE_Failed_Attempts 0000024715 1 0 2014-08-07 00:19:54.668 -07:00 0000287616 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19399, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:00:44 10.34.84.145 Aug 7 00:19:56 stage-pdp01 CISE_Failed_Attempts 0000024716 1 0 2014-08-07 00:19:56.672 -07:00 0000287620 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19400, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:00:46 10.34.84.145 Aug 7 00:19:58 stage-pdp01 CISE_Failed_Attempts 0000024717 1 0 2014-08-07 00:19:58.675 -07:00 0000287624 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19401, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:40 10.34.84.145 Aug 7 00:19:52 stage-pdp01 CISE_Failed_Attempts 0000024714 1 0 2014-08-07 00:19:52.664 -07:00 0000287612 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19398, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:42 10.34.84.145 Aug 7 00:19:54 stage-pdp01 CISE_Failed_Attempts 0000024715 1 0 2014-08-07 00:19:54.668 -07:00 0000287616 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19399, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:44 10.34.84.145 Aug 7 00:19:56 stage-pdp01 CISE_Failed_Attempts 0000024716 1 0 2014-08-07 00:19:56.672 -07:00 0000287620 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19400, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:00:46 10.34.84.145 Aug 7 00:19:58 stage-pdp01 CISE_Failed_Attempts 0000024717 1 0 2014-08-07 00:19:58.675 -07:00 0000287624 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19401, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 17:01:44 10.42.7.64 Aug 7 00:20:56 npf-sjca-pdp02 CISE_Failed_Attempts 0000371095 1 0 2014-08-07 00:20:56.062 -07:00 0011271644 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271099, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570853E328D8, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 17:01:49 10.42.7.63 Aug 7 00:21:01 npf-sjca-pdp01 CISE_Failed_Attempts 0001971475 1 0 2014-08-07 00:21:01.119 -07:00 0098720317 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2087472, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D6153E328DD, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 17:02:54 10.42.7.64 Aug 7 00:22:06 npf-sjca-pdp02 CISE_Failed_Attempts 0000371100 1 0 2014-08-07 00:22:06.143 -07:00 0011271684 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=4, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/271102, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a07400000570953E3291E, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 17:02:59 10.42.7.63 Aug 7 00:22:11 npf-sjca-pdp01 CISE_Failed_Attempts 0001971589 1 0 2014-08-07 00:22:11.182 -07:00 0098725955 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=1, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2087646, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D6253E32923, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 17:03:48 10.34.84.145 Aug 7 00:23:00 stage-pdp01 CISE_Failed_Attempts 0000024729 1 0 2014-08-07 00:23:00.739 -07:00 0000287682 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19408, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:03:50 10.34.84.145 Aug 7 00:23:02 stage-pdp01 CISE_Failed_Attempts 0000024730 1 0 2014-08-07 00:23:02.743 -07:00 0000287686 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19409, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 17:03:52 10.34.84.145 Aug 7 00:23:04 stage-pdp01 CISE_Failed_Attempts 0000024731 1 0 2014-08-07 00:23:04.742 -07:00 0000287690 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19410, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:40:48 10.34.84.145 Aug 7 00:00:00 stage-pdp01 CISE_Failed_Attempts 0000024612 1 0 2014-08-07 00:00:00.178 -07:00 0000286990 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19314, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, -Aug 6 16:40:48 10.42.7.63 Aug 7 00:00:00 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969821 1 0 2014-08-07 00:00:00.186 -07:00 0098648054 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084571, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-7D-EF, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e3218b00000d14, -Aug 6 16:40:48 10.42.7.63 Aug 7 00:00:00 npf-sjca-pdp01 CISE_Failed_Attempts 0001969822 1 0 2014-08-07 00:00:00.186 -07:00 0098648055 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084571, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-7D-EF, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap5, CPMSessionID=0a22964453e3218b00000d14, EndPointMACAddress=00-23-33-41-7D-EF, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_Passed_Authentications 0000370852 1 0 2014-08-07 00:00:00.581 -07:00 0011266563 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=63, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270930\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= -Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_RADIUS_Accounting 0000370853 1 0 2014-08-07 00:00:00.609 -07:00 0011266578 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=240, Device IP Address=10.34.76.212, RequestLatency=23, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Class=CACS:0a224cd40002fdef53e323ef:npf-sjca-pdp02/195481465/270930, Called-Station-ID=88-43-e1-62-1d-20, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, Acct-Status-Type=Start, Acct-Session-Id=53e323f0/00:21:6a:ab:3a:fe/174396, Acct-Authentic=RADIUS, Event-Timestamp=1407394800, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a224cd40002fdef53e323ef, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp02/195481465/270931, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a224cd40002fdef53e323ef, AllowedProtocolMatchedRule=Byod-Dot1x-SJCM1, Model Name=5508, Software Version=7.3.113.109, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wireless#WLC, -Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002927 1 0 2014-08-07 00:00:00.642 -07:00 0000048588 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=10, SysStatsUtilizationCpu=0.76%, SysStatsUtilizationNetwork=eth0: rcvd = 2487452\; sent = 201012 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=40.85%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=9% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.02, SysStatsCpuCount=8, SysStatsProcessMemoryMB=6847, -Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002928 1 0 2014-08-07 00:00:00.642 -07:00 0000048587 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=10, SysStatsAcsProcessHealth= Database Listener=running\, PID: 16936\; Database Server=running\, number of processes: 35\; Application Server=running\, PID: 22120\; Profiler Database=running\, PID: 20130\; AD Connector=running\, PID: 4257\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=running\, PID: 1557\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, -Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002929 1 0 2014-08-07 00:00:00.642 -07:00 0000048589 70010 NOTICE System-Stats: OCSP Statistics, ConfigVersionId=10, OCSPPrimaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryNotResponsiveCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsGoodCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsGoodCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsFoundCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsFoundCount=Cisco ISE Root CA - stage-pap02:0, ClearCacheInvokedCount=0, OCSPCertsCleanedUpCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:1, OCSPCertsCleanedUpCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPCertsCleanedUpCount=Cisco ISE Root CA - stage-pap02:2, NumOfCertsFoundInCache=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, NumOfCertsFoundInCache=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, NumOfCertsFoundInCache=Cisco ISE Root CA - stage-pap02:0, -Aug 6 16:40:48 10.34.84.141 Aug 7 00:00:00 stage-pap01 CISE_Administrative_and_Operational_Audit 0000002645 1 0 2014-08-07 00:00:00.705 -07:00 0000004098 60166 NOTICE Certificate: Certificate will expire soon, ConfigVersionId=146, OperationMessageText= Trust certificate 'Users\,Administrator#ise-WIN-H10SLATQ452-CA#00017' will expire in 12 days, -Aug 6 16:40:48 10.42.8.41 Aug 7 00:00:00 npf-sjca-pap01 CISE_Administrative_and_Operational_Audit 0000021798 1 0 2014-08-07 00:00:00.930 -07:00 0000030462 60166 NOTICE Certificate: Certificate will expire soon, ConfigVersionId=113, OperationMessageText= Trust certificate 'Users\,Administrator#ise-WIN-H10SLATQ452-CA#00017' will expire in 12 days, -Aug 6 16:40:50 10.34.84.145 Aug 7 00:00:02 stage-pdp01 CISE_Failed_Attempts 0000024613 1 0 2014-08-07 00:00:02.182 -07:00 0000286998 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19315, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, -Aug 6 15:40:50 10.86.237.133 Aug 7 02:00:02 vm4-psn1-if0 CISE_Administrative_and_Operational_Audit 0000002803 1 0 2014-08-07 02:00:02.267 -05:00 0002533404 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=5, AdminInterface=CLI, AdminIPAddress=127.0.0.1, AdminName=system, OperationMessageText=DNS resolution failed for the hostname vm4-psn1-if0.guest.test against the currently configured name servers. Ensure that you have configured a reachable name server using the 'ip name-server ' CLI, AcsInstance=vm4-psn1-if0, -Aug 6 16:40:52 10.34.84.145 Aug 7 00:00:04 stage-pdp01 CISE_Failed_Attempts 0000024614 1 0 2014-08-07 00:00:04.186 -07:00 0000287002 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19316, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, +Aug 6 17:03:48 10.34.84.145 Aug 7 00:23:00 stage-pdp01 CISE_Failed_Attempts 0000024729 1 0 2014-08-07 00:23:00.739 -07:00 0000287682 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19408, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:03:50 10.34.84.145 Aug 7 00:23:02 stage-pdp01 CISE_Failed_Attempts 0000024730 1 0 2014-08-07 00:23:02.743 -07:00 0000287686 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19409, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 17:03:52 10.34.84.145 Aug 7 00:23:04 stage-pdp01 CISE_Failed_Attempts 0000024731 1 0 2014-08-07 00:23:04.742 -07:00 0000287690 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19410, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:40:48 10.34.84.145 Aug 7 00:00:00 stage-pdp01 CISE_Failed_Attempts 0000024612 1 0 2014-08-07 00:00:00.178 -07:00 0000286990 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19314, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, +Aug 6 16:40:48 10.42.7.63 Aug 7 00:00:00 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969821 1 0 2014-08-07 00:00:00.186 -07:00 0098648054 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084571, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-7D-EF, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e3218b00000d14, +Aug 6 16:40:48 10.42.7.63 Aug 7 00:00:00 npf-sjca-pdp01 CISE_Failed_Attempts 0001969822 1 0 2014-08-07 00:00:00.186 -07:00 0098648055 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084571, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-7D-EF, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap5, CPMSessionID=0a22964453e3218b00000d14, EndPointMACAddress=00-23-33-41-7D-EF, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_Passed_Authentications 0000370852 1 0 2014-08-07 00:00:00.581 -07:00 0011266563 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=63, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270930\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_RADIUS_Accounting 0000370853 1 0 2014-08-07 00:00:00.609 -07:00 0011266578 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=240, Device IP Address=10.34.76.212, RequestLatency=23, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Class=CACS:0a224cd40002fdef53e323ef:npf-sjca-pdp02/195481465/270930, Called-Station-ID=88-43-e1-62-1d-20, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, Acct-Status-Type=Start, Acct-Session-Id=53e323f0/00:21:6a:ab:3a:fe/174396, Acct-Authentic=RADIUS, Event-Timestamp=1407394800, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a224cd40002fdef53e323ef, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp02/195481465/270931, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=0a224cd40002fdef53e323ef, AllowedProtocolMatchedRule=Byod-Dot1x-SJCM1, Model Name=5508, Software Version=7.3.113.109, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wireless#WLC, +Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002927 1 0 2014-08-07 00:00:00.642 -07:00 0000048588 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=10, SysStatsUtilizationCpu=0.76%, SysStatsUtilizationNetwork=eth0: rcvd = 2487452\; sent = 201012 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=40.85%, SysStatsUtilizationDiskIO=0.03%, SysStatsUtilizationDiskSpace=9% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.02, SysStatsCpuCount=8, SysStatsProcessMemoryMB=6847, +Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002928 1 0 2014-08-07 00:00:00.642 -07:00 0000048587 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=10, SysStatsAcsProcessHealth= Database Listener=running\, PID: 16936\; Database Server=running\, number of processes: 35\; Application Server=running\, PID: 22120\; Profiler Database=running\, PID: 20130\; AD Connector=running\, PID: 4257\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=running\, PID: 1557\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, +Aug 6 16:40:48 10.34.84.146 Aug 7 00:00:00 stage-pdp02 CISE_System_Statistics 0000002929 1 0 2014-08-07 00:00:00.642 -07:00 0000048589 70010 NOTICE System-Stats: OCSP Statistics, ConfigVersionId=10, OCSPPrimaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryNotResponsiveCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryNotResponsiveCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsGoodCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsGoodCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsGoodCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsRevokedCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsRevokedCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsUnknownCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsUnknownCount=Cisco ISE Root CA - stage-pap02:0, OCSPPrimaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPPrimaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPPrimaryCertsFoundCount=Cisco ISE Root CA - stage-pap02:0, OCSPSecondaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, OCSPSecondaryCertsFoundCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPSecondaryCertsFoundCount=Cisco ISE Root CA - stage-pap02:0, ClearCacheInvokedCount=0, OCSPCertsCleanedUpCount=Cisco ISE Endpoint Subordinate CA - stage-pdp01:1, OCSPCertsCleanedUpCount=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, OCSPCertsCleanedUpCount=Cisco ISE Root CA - stage-pap02:2, NumOfCertsFoundInCache=Cisco ISE Endpoint Subordinate CA - stage-pdp01:0, NumOfCertsFoundInCache=Cisco ISE Endpoint Subordinate CA - stage-pdp02:0, NumOfCertsFoundInCache=Cisco ISE Root CA - stage-pap02:0, +Aug 6 16:40:48 10.34.84.141 Aug 7 00:00:00 stage-pap01 CISE_Administrative_and_Operational_Audit 0000002645 1 0 2014-08-07 00:00:00.705 -07:00 0000004098 60166 NOTICE Certificate: Certificate will expire soon, ConfigVersionId=146, OperationMessageText= Trust certificate 'Users\,Administrator#ise-WIN-H10SLATQ452-CA#00017' will expire in 12 days, +Aug 6 16:40:48 10.42.8.41 Aug 7 00:00:00 npf-sjca-pap01 CISE_Administrative_and_Operational_Audit 0000021798 1 0 2014-08-07 00:00:00.930 -07:00 0000030462 60166 NOTICE Certificate: Certificate will expire soon, ConfigVersionId=113, OperationMessageText= Trust certificate 'Users\,Administrator#ise-WIN-H10SLATQ452-CA#00017' will expire in 12 days, +Aug 6 16:40:50 10.34.84.145 Aug 7 00:00:02 stage-pdp01 CISE_Failed_Attempts 0000024613 1 0 2014-08-07 00:00:02.182 -07:00 0000286998 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19315, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, +Aug 6 15:40:50 10.86.237.133 Aug 7 02:00:02 vm4-psn1-if0 CISE_Administrative_and_Operational_Audit 0000002803 1 0 2014-08-07 02:00:02.267 -05:00 0002533404 60134 NOTICE System-Management: DNS Resolution failure, ConfigVersionId=5, AdminInterface=CLI, AdminIPAddress=127.0.0.1, AdminName=system, OperationMessageText=DNS resolution failed for the hostname vm4-psn1-if0.guest.test against the currently configured name servers. Ensure that you have configured a reachable name server using the 'ip name-server ' CLI, AcsInstance=vm4-psn1-if0, +Aug 6 16:40:52 10.34.84.145 Aug 7 00:00:04 stage-pdp01 CISE_Failed_Attempts 0000024614 1 0 2014-08-07 00:00:04.186 -07:00 0000287002 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1813, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Called-Station-ID=192.168.30.11, Calling-Station-ID=192.168.30.11, NAS-Identifier=Cisco_1b:e0:84, Acct-Status-Type=Start, Acct-Session-Id=ad:c5:5c:92, Acct-Authentic=RADIUS, AcsSessionID=stage-pdp01/196593288/19316, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11004, Step=11017, Step=11007, Step=5413, Aug 6 16:40:52 10.42.7.63 Aug 7 00:00:04 npf-sjca-pdp01 CISE_Passed_Authentications 0001969823 1 0 2014-08-07 00:00:04.338 -07:00 0098648223 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=58, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEF6C76B9093, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2084825, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEF6C76B9093, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AEF6C76B9093; Class=CACS:0A2250250007AEF6C76B9093:npf-sjca-pdp01/195491152/2084825; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEF6C76B9093&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=47ab1ee8a5eeb1d37d3194083abfeaa4; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:40:52 10.42.7.64 Aug 7 00:00:04 npf-sjca-pdp02 CISE_RADIUS_Diagnostics 0000370854 1 0 2014-08-07 00:00:04.526 -07:00 0011266583 11302 WARN RADIUS: Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=23, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270932, SelectedAccessService=NDAC_SGT_Service, CTSRequest=true, CPMSessionID=0a2a0740000056EF53E323F4, +Aug 6 16:40:52 10.42.7.64 Aug 7 00:00:04 npf-sjca-pdp02 CISE_RADIUS_Diagnostics 0000370854 1 0 2014-08-07 00:00:04.526 -07:00 0011266583 11302 WARN RADIUS: Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=23, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270932, SelectedAccessService=NDAC_SGT_Service, CTSRequest=true, CPMSessionID=0a2a0740000056EF53E323F4, Aug 6 16:40:52 10.42.7.64 Aug 7 00:00:04 npf-sjca-pdp02 CISE_Failed_Attempts 0000370855 1 0 2014-08-07 00:00:04.527 -07:00 0011266584 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=240, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.64, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=5, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp02/195481465/270932, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a0740000056EF53E323F4, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, Aug 6 16:40:52 10.42.7.63 Aug 7 00:00:04 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969824 1 0 2014-08-07 00:00:04.709 -07:00 0098648235 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=133, Device IP Address=171.70.35.131, RequestLatency=3, NetworkDeviceName=WNBU-sjc14-00a-homeap1, User-Name=host/MBAGAWAT-WS02.cisco.com, NAS-IP-Address=171.70.35.131, NAS-Port=13, Framed-IP-Address=10.33.116.49, Class=CACS:0/fe6c54/ab462383/13, Called-Station-ID=00-3a-9b-03-18-80, Calling-Station-ID=24-77-03-6e-1d-cc, NAS-Identifier=Cisco_7d:88:00, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=82225000, Acct-Output-Octets=1211191000, Acct-Session-Id=53e2c1bd/24:77:03:6e:1d:cc/11615, Acct-Authentic=RADIUS, Acct-Session-Time=25145, Acct-Input-Packets=587146, Acct-Output-Packets=989725, undefined-52= -Aug 6 16:40:53 10.42.8.42 Aug 7 00:00:04 npf-sjca-pap02 CISE_System_Statistics 0000011993 1 0 2014-08-07 00:00:04.979 -07:00 0000013727 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=113, SysStatsUtilizationCpu=0.83%, SysStatsUtilizationNetwork=eth0: rcvd = 258326\; sent = 145595 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=42.92%, SysStatsUtilizationDiskIO=0.15%, SysStatsUtilizationDiskSpace=18% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.02, SysStatsCpuCount=4, SysStatsProcessMemoryMB=4945, -Aug 6 16:40:53 10.42.8.42 Aug 7 00:00:04 npf-sjca-pap02 CISE_System_Statistics 0000011994 1 0 2014-08-07 00:00:04.979 -07:00 0000013726 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=113, SysStatsAcsProcessHealth= Database Listener=running\, PID: 29446\; Database Server=running\, number of processes: 25\; Application Server=running\, PID: 32615\; Profiler Database=running\, PID: 19953\; AD Connector=running\, PID: 4303\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=disabled\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, -Aug 6 16:40:53 10.42.7.63 Aug 7 00:00:05 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969825 1 0 2014-08-07 00:00:05.885 -07:00 0098648300 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=57, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3252e00000d69\;42SessionID=npf-sjca-pdp01/195491152/2084820\;, Called-Station-ID=64-d9-89-42-21-00:alpha_phone, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3252e00000d69, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084820, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e3252e00000d69, -Aug 6 16:40:54 10.42.7.63 Aug 7 00:00:06 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969826 1 0 2014-08-07 00:00:06.963 -07:00 0098648437 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=66, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3252f00000d6a\;42SessionID=npf-sjca-pdp01/195491152/2084821\;, Called-Station-ID=64-d9-89-42-21-00:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3252f00000d6a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084821, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e3252f00000d6a, -Aug 6 16:40:55 10.42.7.63 Aug 7 00:00:07 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969827 1 0 2014-08-07 00:00:07.893 -07:00 0098648497 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084583, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, -Aug 6 16:40:55 10.42.7.63 Aug 7 00:00:07 npf-sjca-pdp01 CISE_Failed_Attempts 0001969828 1 0 2014-08-07 00:00:07.893 -07:00 0098648498 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084583, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:40:56 10.42.7.63 Aug 7 00:00:08 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969829 1 0 2014-08-07 00:00:08.417 -07:00 0098648499 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084585, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, -Aug 6 16:40:56 10.42.7.63 Aug 7 00:00:08 npf-sjca-pdp01 CISE_Failed_Attempts 0001969830 1 0 2014-08-07 00:00:08.417 -07:00 0098648500 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084585, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969831 1 0 2014-08-07 00:00:09.004 -07:00 0098648505 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084588, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, -Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_Failed_Attempts 0001969832 1 0 2014-08-07 00:00:09.004 -07:00 0098648506 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084588, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969833 1 0 2014-08-07 00:00:09.568 -07:00 0098648518 11302 WARN RADIUS: Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=23, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2084839, SelectedAccessService=NDAC_SGT_Service, CTSRequest=true, CPMSessionID=0a2a073f00005D4A53E323F9, +Aug 6 16:40:53 10.42.8.42 Aug 7 00:00:04 npf-sjca-pap02 CISE_System_Statistics 0000011993 1 0 2014-08-07 00:00:04.979 -07:00 0000013727 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=113, SysStatsUtilizationCpu=0.83%, SysStatsUtilizationNetwork=eth0: rcvd = 258326\; sent = 145595 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=42.92%, SysStatsUtilizationDiskIO=0.15%, SysStatsUtilizationDiskSpace=18% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.02, SysStatsCpuCount=4, SysStatsProcessMemoryMB=4945, +Aug 6 16:40:53 10.42.8.42 Aug 7 00:00:04 npf-sjca-pap02 CISE_System_Statistics 0000011994 1 0 2014-08-07 00:00:04.979 -07:00 0000013726 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=113, SysStatsAcsProcessHealth= Database Listener=running\, PID: 29446\; Database Server=running\, number of processes: 25\; Application Server=running\, PID: 32615\; Profiler Database=running\, PID: 19953\; AD Connector=running\, PID: 4303\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=disabled\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, +Aug 6 16:40:53 10.42.7.63 Aug 7 00:00:05 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969825 1 0 2014-08-07 00:00:05.885 -07:00 0098648300 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=57, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3252e00000d69\;42SessionID=npf-sjca-pdp01/195491152/2084820\;, Called-Station-ID=64-d9-89-42-21-00:alpha_phone, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3252e00000d69, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084820, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e3252e00000d69, +Aug 6 16:40:54 10.42.7.63 Aug 7 00:00:06 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969826 1 0 2014-08-07 00:00:06.963 -07:00 0098648437 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=66, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3252f00000d6a\;42SessionID=npf-sjca-pdp01/195491152/2084821\;, Called-Station-ID=64-d9-89-42-21-00:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3252f00000d6a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084821, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e3252f00000d6a, +Aug 6 16:40:55 10.42.7.63 Aug 7 00:00:07 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969827 1 0 2014-08-07 00:00:07.893 -07:00 0098648497 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084583, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, +Aug 6 16:40:55 10.42.7.63 Aug 7 00:00:07 npf-sjca-pdp01 CISE_Failed_Attempts 0001969828 1 0 2014-08-07 00:00:07.893 -07:00 0098648498 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084583, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:40:56 10.42.7.63 Aug 7 00:00:08 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969829 1 0 2014-08-07 00:00:08.417 -07:00 0098648499 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084585, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, +Aug 6 16:40:56 10.42.7.63 Aug 7 00:00:08 npf-sjca-pdp01 CISE_Failed_Attempts 0001969830 1 0 2014-08-07 00:00:08.417 -07:00 0098648500 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084585, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969831 1 0 2014-08-07 00:00:09.004 -07:00 0098648505 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084588, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5f, +Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_Failed_Attempts 0001969832 1 0 2014-08-07 00:00:09.004 -07:00 0098648506 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084588, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-6A-A9, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324bb00000d5f, EndPointMACAddress=00-23-33-41-6A-A9, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969833 1 0 2014-08-07 00:00:09.568 -07:00 0098648518 11302 WARN RADIUS: Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=23, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2084839, SelectedAccessService=NDAC_SGT_Service, CTSRequest=true, CPMSessionID=0a2a073f00005D4A53E323F9, Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_Failed_Attempts 0001969834 1 0 2014-08-07 00:00:09.568 -07:00 0098648519 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=133, Device IP Address=10.56.72.126, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=#CTSREQUEST#, Protocol=Radius, RequestLatency=2, NetworkDeviceName=ntn01-11a-sw3, User-Name=#CTSREQUEST#, NAS-IP-Address=10.56.72.126, Service-Type=Outbound, AcsSessionID=npf-sjca-pdp01/195491152/2084839, SelectedAccessService=NDAC_SGT_Service, FailureReason=11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute, Step=11001, Step=11017, Step=15012, Step=11302, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, CPMSessionID=0a2a073f00005D4A53E323F9, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, Response={RadiusPacketType=Drop; }, -Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969835 1 0 2014-08-07 00:00:09.779 -07:00 0098648583 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=59, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3222a00007ec2\;42SessionID=npf-sjca-pdp01/195491152/2084830\;, Called-Station-ID=64-d9-89-42-20-20:alpha_phone, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3222a00007ec2, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084830, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3222a00007ec2, -Aug 6 16:40:58 10.42.7.63 Aug 7 00:00:10 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969836 1 0 2014-08-07 00:00:10.954 -07:00 0098648718 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=69, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084832\;, Called-Station-ID=64-d9-89-42-20-20:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084832, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:40:59 10.42.7.63 Aug 7 00:00:11 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969837 1 0 2014-08-07 00:00:11.056 -07:00 0098648728 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084599, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5e, -Aug 6 16:40:59 10.42.7.63 Aug 7 00:00:11 npf-sjca-pdp01 CISE_Failed_Attempts 0001969838 1 0 2014-08-07 00:00:11.057 -07:00 0098648729 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084599, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap4, CPMSessionID=0a22964453e324bb00000d5e, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:40:59 10.42.7.64 Aug 7 00:00:11 npf-sjca-pdp02 CISE_Passed_Authentications 0000370856 1 0 2014-08-07 00:00:11.093 -07:00 0011266671 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=43, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270933\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:40:57 10.42.7.63 Aug 7 00:00:09 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969835 1 0 2014-08-07 00:00:09.779 -07:00 0098648583 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=59, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3222a00007ec2\;42SessionID=npf-sjca-pdp01/195491152/2084830\;, Called-Station-ID=64-d9-89-42-20-20:alpha_phone, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3222a00007ec2, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084830, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3222a00007ec2, +Aug 6 16:40:58 10.42.7.63 Aug 7 00:00:10 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969836 1 0 2014-08-07 00:00:10.954 -07:00 0098648718 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=69, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084832\;, Called-Station-ID=64-d9-89-42-20-20:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084832, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:40:59 10.42.7.63 Aug 7 00:00:11 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969837 1 0 2014-08-07 00:00:11.056 -07:00 0098648728 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084599, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bb00000d5e, +Aug 6 16:40:59 10.42.7.63 Aug 7 00:00:11 npf-sjca-pdp01 CISE_Failed_Attempts 0001969838 1 0 2014-08-07 00:00:11.057 -07:00 0098648729 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084599, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap4, CPMSessionID=0a22964453e324bb00000d5e, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:40:59 10.42.7.64 Aug 7 00:00:11 npf-sjca-pdp02 CISE_Passed_Authentications 0000370856 1 0 2014-08-07 00:00:11.093 -07:00 0011266671 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=43, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270933\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:40:59 10.42.7.64 Aug 7 00:00:11 npf-sjca-pdp02 CISE_RADIUS_Accounting 0000370857 1 0 2014-08-07 00:00:11.127 -07:00 0011266678 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=240, Device IP Address=10.34.76.212, RequestLatency=30, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Class=CACS:0a224cd40002fdef53e323ef:npf-sjca-pdp02/195481465/270933, Called-Station-ID=88-43-e1-62-1d-20, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e323f0/00:21:6a:ab:3a:fe/174396, Acct-Authentic=RADIUS, Acct-Session-Time=10, Acct-Input-Packets=0, Acct-Output-Packets=0, undefined-52= -Aug 6 16:41:00 10.42.7.63 Aug 7 00:00:12 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969839 1 0 2014-08-07 00:00:12.104 -07:00 0098648760 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084603, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bc00000d60, -Aug 6 16:41:00 10.42.7.63 Aug 7 00:00:12 npf-sjca-pdp01 CISE_Failed_Attempts 0001969840 1 0 2014-08-07 00:00:12.104 -07:00 0098648761 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084603, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap4, CPMSessionID=0a22964453e324bc00000d60, EndPointMACAddress=00-23-33-41-78-96, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:02 10.86.102.144 Aug 7 03:00:14 bxb22-11a-pdp1 CISE_System_Statistics 0000049401 1 0 2014-08-07 03:00:14.002 -04:00 0001380293 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=76, SysStatsUtilizationCpu=0.77%, SysStatsUtilizationNetwork=eth0: rcvd = 304249\; sent = 161666 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=30.98%, SysStatsUtilizationDiskIO=0.19%, SysStatsUtilizationDiskSpace=6% /, SysStatsUtilizationDiskSpace=8% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.04, SysStatsCpuCount=8, SysStatsProcessMemoryMB=14289, -Aug 6 16:41:02 10.86.102.144 Aug 7 03:00:14 bxb22-11a-pdp1 CISE_System_Statistics 0000049402 1 0 2014-08-07 03:00:14.002 -04:00 0001380294 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=76, SysStatsAcsProcessHealth= Database Listener=running\, PID: 29433\; Database Server=running\, number of processes: 25\; Application Server=running\, PID: 473\; Profiler Database=running\, PID: 596\; AD Connector=running\, PID: 7728\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=running\, PID: 6175\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, -Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969841 1 0 2014-08-07 00:00:14.776 -07:00 0098648939 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=84, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084848\;, Called-Station-ID=64-d9-89-42-22-b0:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084848, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969842 1 0 2014-08-07 00:00:14.873 -07:00 0098649040 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=89, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3253a00000d6d\;42SessionID=npf-sjca-pdp01/195491152/2084859\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3253a00000d6d, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084859, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e3253a00000d6d, -Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969843 1 0 2014-08-07 00:00:14.873 -07:00 0098649042 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=89, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3253a00000d6d\;42SessionID=npf-sjca-pdp01/195491152/2084859\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3253a00000d6d, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084859, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e3253a00000d6d, -Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969844 1 0 2014-08-07 00:00:14.874 -07:00 0098649047 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084608, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, -Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_Failed_Attempts 0001969845 1 0 2014-08-07 00:00:14.874 -07:00 0098649048 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084608, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap3, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:00 10.42.7.63 Aug 7 00:00:12 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969839 1 0 2014-08-07 00:00:12.104 -07:00 0098648760 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084603, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324bc00000d60, +Aug 6 16:41:00 10.42.7.63 Aug 7 00:00:12 npf-sjca-pdp01 CISE_Failed_Attempts 0001969840 1 0 2014-08-07 00:00:12.104 -07:00 0098648761 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084603, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap4, CPMSessionID=0a22964453e324bc00000d60, EndPointMACAddress=00-23-33-41-78-96, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:02 10.86.102.144 Aug 7 03:00:14 bxb22-11a-pdp1 CISE_System_Statistics 0000049401 1 0 2014-08-07 03:00:14.002 -04:00 0001380293 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=76, SysStatsUtilizationCpu=0.77%, SysStatsUtilizationNetwork=eth0: rcvd = 304249\; sent = 161666 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=30.98%, SysStatsUtilizationDiskIO=0.19%, SysStatsUtilizationDiskSpace=6% /, SysStatsUtilizationDiskSpace=8% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.04, SysStatsCpuCount=8, SysStatsProcessMemoryMB=14289, +Aug 6 16:41:02 10.86.102.144 Aug 7 03:00:14 bxb22-11a-pdp1 CISE_System_Statistics 0000049402 1 0 2014-08-07 03:00:14.002 -04:00 0001380294 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=76, SysStatsAcsProcessHealth= Database Listener=running\, PID: 29433\; Database Server=running\, number of processes: 25\; Application Server=running\, PID: 473\; Profiler Database=running\, PID: 596\; AD Connector=running\, PID: 7728\; M&T Session Database=disabled\; M&T Log Collector=disabled\; M&T Log Processor=disabled\; Certificate Authority Service=running\, PID: 6175\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, +Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969841 1 0 2014-08-07 00:00:14.776 -07:00 0098648939 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=84, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084848\;, Called-Station-ID=64-d9-89-42-22-b0:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084848, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969842 1 0 2014-08-07 00:00:14.873 -07:00 0098649040 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=89, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3253a00000d6d\;42SessionID=npf-sjca-pdp01/195491152/2084859\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3253a00000d6d, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084859, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e3253a00000d6d, +Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969843 1 0 2014-08-07 00:00:14.873 -07:00 0098649042 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=89, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e3253a00000d6d\;42SessionID=npf-sjca-pdp01/195491152/2084859\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e3253a00000d6d, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084859, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e3253a00000d6d, +Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969844 1 0 2014-08-07 00:00:14.874 -07:00 0098649047 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084608, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, +Aug 6 16:41:02 10.42.7.63 Aug 7 00:00:14 npf-sjca-pdp01 CISE_Failed_Attempts 0001969845 1 0 2014-08-07 00:00:14.874 -07:00 0098649048 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084608, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap3, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, Aug 6 16:41:03 10.42.7.64 Aug 7 00:00:15 npf-sjca-pdp02 CISE_RADIUS_Accounting 0000370858 1 0 2014-08-07 00:00:15.120 -07:00 0011266686 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=240, Device IP Address=10.56.129.4, RequestLatency=32, NetworkDeviceName=NTN-WLC1, User-Name=98-D6-F7-5E-67-1E, NAS-IP-Address=10.56.129.4, NAS-Port=1, Framed-IP-Address=10.56.129.30, Class=CACS:0a388104000045cf53e2beda:npf-sjca-pdp02/195481465/270922, Called-Station-ID=6c-41-6a-5f-6e-c0, Calling-Station-ID=98-d6-f7-5e-67-1e, NAS-Identifier=ntn01-11a-wlc1, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=82454, Acct-Output-Octets=86377, Acct-Session-Id=53e2bedc/98:d6:f7:5e:67:1e/13845, Acct-Authentic=RADIUS, Acct-Session-Time=1192, Acct-Input-Packets=427, Acct-Output-Packets=233, Acct-Terminate-Cause=Idle Timeout, undefined-52= -Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969846 1 0 2014-08-07 00:00:15.923 -07:00 0098649220 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=0, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084866\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084866, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, -Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969847 1 0 2014-08-07 00:00:15.923 -07:00 0098649222 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=0, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084866\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084866, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, -Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969848 1 0 2014-08-07 00:00:15.958 -07:00 0098649232 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084610, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_Failed_Attempts 0001969849 1 0 2014-08-07 00:00:15.959 -07:00 0098649233 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084610, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap3, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969850 1 0 2014-08-07 00:00:16.678 -07:00 0098649417 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084867\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084867, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, -Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969851 1 0 2014-08-07 00:00:16.678 -07:00 0098649419 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084867\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084867, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, -Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969852 1 0 2014-08-07 00:00:16.697 -07:00 0098649435 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=102, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084868, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969853 1 0 2014-08-07 00:00:16.697 -07:00 0098649437 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=102, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084868, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_Failed_Attempts 0001969854 1 0 2014-08-07 00:00:16.712 -07:00 0098649452 5434 NOTICE RADIUS: Endpoint conducted several failed authentications of the same scenario, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=pnirala, Protocol=Radius, NetworkDeviceName=EXAMPLE, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, IsEndpointInRejectMode=false, AcsSessionID=npf-sjca-pdp01/195491152/2084868, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, FailureReason=24408 User authentication against Active Directory failed since user has entered the wrong password, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607, Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013, Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061, Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=11504, Step=11003, Step=5434, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, TotalFailedAttempts=12987, TotalFailedTime=310509, AD-Domain=cisco.com, AD-User-Candidate-Identities=pnirala@cisco.com, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD, StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD, StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=pnirala, StepData=75=cisco.com, StepData=76=cisco.com, StepData=77=icm.cisco.com\,Domain trust direction is one-way, StepData=78=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=79=partnet.cisco.com\,Domain trust direction is one-way, StepData=80=IL.NDS.COM\,Domain trust direction is one-way, StepData=81=UK.NDS.COM\,Domain trust direction is one-way, StepData=82=SN.local\,Domain trust direction is one-way, StepData=83=webex.local\,Domain trust direction is one-way, StepData=84=in.nds.com\,Domain trust direction is one-way, StepData=85=US.NDS.COM\,Domain trust direction is one-way, StepData=87=STATUS_WRONG_PASSWORD\,ERROR_INVALID_PASSWORD\,pnirala@cisco.com, StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, Response={RadiusPacketType=AccessReject; }, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969855 1 0 2014-08-07 00:00:17.100 -07:00 0098649536 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=15, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f1fd23e353\;42SessionID=npf-sjca-pdp01/195491152/2084849\;, Called-Station-ID=002333c45b90:alpha_phone, Calling-Station-ID=0018ba78c59d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055f1fd23e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084849, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000055f1fd23e353, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969856 1 0 2014-08-07 00:00:17.263 -07:00 0098649644 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=113, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084870\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084870, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969857 1 0 2014-08-07 00:00:17.263 -07:00 0098649646 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=113, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084870\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084870, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969858 1 0 2014-08-07 00:00:17.840 -07:00 0098649841 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=125, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084873\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084873, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969859 1 0 2014-08-07 00:00:17.841 -07:00 0098649843 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=125, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084873\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084873, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969860 1 0 2014-08-07 00:00:17.954 -07:00 0098649912 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=26, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054ed0a09e353\;42SessionID=npf-sjca-pdp01/195491152/2084852\;, Called-Station-ID=0023045b8cb0:alpha_phone, Calling-Station-ID=0026cb006125, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000054ed0a09e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084852, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000054ed0a09e353, +Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969846 1 0 2014-08-07 00:00:15.923 -07:00 0098649220 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=0, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084866\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084866, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, +Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969847 1 0 2014-08-07 00:00:15.923 -07:00 0098649222 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=0, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084866\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084866, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, +Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969848 1 0 2014-08-07 00:00:15.958 -07:00 0098649232 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084610, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:03 10.42.7.63 Aug 7 00:00:15 npf-sjca-pdp01 CISE_Failed_Attempts 0001969849 1 0 2014-08-07 00:00:15.959 -07:00 0098649233 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084610, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap3, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969850 1 0 2014-08-07 00:00:16.678 -07:00 0098649417 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084867\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084867, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, +Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969851 1 0 2014-08-07 00:00:16.678 -07:00 0098649419 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=9, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ab8f1ae353\;42SessionID=npf-sjca-pdp01/195491152/2084867\;, Called-Station-ID=ec447680bc70:alpha_phone, Calling-Station-ID=30f70d4d201d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055ab8f1ae353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084867, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=892346ab000055ab8f1ae353, +Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969852 1 0 2014-08-07 00:00:16.697 -07:00 0098649435 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=102, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084868, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969853 1 0 2014-08-07 00:00:16.697 -07:00 0098649437 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=102, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084868, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:04 10.42.7.63 Aug 7 00:00:16 npf-sjca-pdp01 CISE_Failed_Attempts 0001969854 1 0 2014-08-07 00:00:16.712 -07:00 0098649452 5434 NOTICE RADIUS: Endpoint conducted several failed authentications of the same scenario, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=pnirala, Protocol=Radius, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084868\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, IsEndpointInRejectMode=false, AcsSessionID=npf-sjca-pdp01/195491152/2084868, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, FailureReason=24408 User authentication against Active Directory failed since user has entered the wrong password, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607, Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013, Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061, Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=11504, Step=11003, Step=5434, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, TotalFailedAttempts=12987, TotalFailedTime=310509, AD-Domain=cisco.com, AD-User-Candidate-Identities=pnirala@cisco.com, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD, StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD, StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=pnirala, StepData=75=cisco.com, StepData=76=cisco.com, StepData=77=icm.cisco.com\,Domain trust direction is one-way, StepData=78=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=79=partnet.cisco.com\,Domain trust direction is one-way, StepData=80=IL.NDS.COM\,Domain trust direction is one-way, StepData=81=UK.NDS.COM\,Domain trust direction is one-way, StepData=82=SN.local\,Domain trust direction is one-way, StepData=83=webex.local\,Domain trust direction is one-way, StepData=84=in.nds.com\,Domain trust direction is one-way, StepData=85=US.NDS.COM\,Domain trust direction is one-way, StepData=87=STATUS_WRONG_PASSWORD\,ERROR_INVALID_PASSWORD\,pnirala@cisco.com, StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, Response={RadiusPacketType=AccessReject; }, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969855 1 0 2014-08-07 00:00:17.100 -07:00 0098649536 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=15, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f1fd23e353\;42SessionID=npf-sjca-pdp01/195491152/2084849\;, Called-Station-ID=002333c45b90:alpha_phone, Calling-Station-ID=0018ba78c59d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055f1fd23e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084849, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000055f1fd23e353, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969856 1 0 2014-08-07 00:00:17.263 -07:00 0098649644 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=113, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084870\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084870, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969857 1 0 2014-08-07 00:00:17.263 -07:00 0098649646 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=113, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084870\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084870, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969858 1 0 2014-08-07 00:00:17.840 -07:00 0098649841 12853 WARN EAP: Empty EAP-GTC message received, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=125, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084873\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084873, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969859 1 0 2014-08-07 00:00:17.841 -07:00 0098649843 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.150.68, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=125, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22964453e324d700000d64\;42SessionID=npf-sjca-pdp01/195491152/2084873\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e324d700000d64, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084873, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:05 10.42.7.63 Aug 7 00:00:17 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969860 1 0 2014-08-07 00:00:17.954 -07:00 0098649912 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=26, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054ed0a09e353\;42SessionID=npf-sjca-pdp01/195491152/2084852\;, Called-Station-ID=0023045b8cb0:alpha_phone, Calling-Station-ID=0026cb006125, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000054ed0a09e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084852, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000054ed0a09e353, Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Passed_Authentications 0001969861 1 0 2014-08-07 00:00:18.392 -07:00 0098650111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=mkrummen, Protocol=Radius, RequestLatency=30, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054f03809e353\;42SessionID=npf-sjca-pdp01/195491152/2084875\;, Called-Station-ID=0024c48d6e40:alpha_phone, Calling-Station-ID=001f9e8b6c9f, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969862 1 0 2014-08-07 00:00:18.465 -07:00 0098650132 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=2, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=mkrummen, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.117.7, Class=CACS:892346ab000054f03809e353:npf-sjca-pdp01/195491152/2084875, Called-Station-ID=00-24-c4-8d-6e-40, Calling-Station-ID=00-1f-9e-8b-6c-9f, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e3093b/00:1f:9e:8b:6c:9f/12103, Acct-Authentic=RADIUS, Acct-Session-Time=6856, Acct-Input-Packets=0, Acct-Output-Packets=0, undefined-52= Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Passed_Authentications 0001969863 1 0 2014-08-07 00:00:18.485 -07:00 0098650153 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=frsung, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=frsung, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f20124e353\;42SessionID=npf-sjca-pdp01/195491152/2084874\;, Called-Station-ID=0026cbba9070:alpha, Calling-Station-ID=10683f75350c, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= -Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969864 1 0 2014-08-07 00:00:18.634 -07:00 0098650217 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=95, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084864\;, Called-Station-ID=64-d9-89-42-1e-80:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084864, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969865 1 0 2014-08-07 00:00:18.975 -07:00 0098650247 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084616, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, -Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Failed_Attempts 0001969866 1 0 2014-08-07 00:00:18.976 -07:00 0098650248 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084616, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap2, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969867 1 0 2014-08-07 00:00:19.370 -07:00 0098650287 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084624, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324c700000d62, -Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_Failed_Attempts 0001969868 1 0 2014-08-07 00:00:19.371 -07:00 0098650288 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084624, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324c700000d62, EndPointMACAddress=00-23-33-41-AD-A3, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=31=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969864 1 0 2014-08-07 00:00:18.634 -07:00 0098650217 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=95, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084864\;, Called-Station-ID=64-d9-89-42-1e-80:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084864, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969865 1 0 2014-08-07 00:00:18.975 -07:00 0098650247 12932 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first EAP-FAST message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084616, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, +Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Failed_Attempts 0001969866 1 0 2014-08-07 00:00:18.976 -07:00 0098650248 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084616, SelectedAccessService=Default Network Access, FailureReason=12932 Supplicant stopped responding to ISE after sending it the first EAP-FAST message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=12932, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap2, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=20=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969867 1 0 2014-08-07 00:00:19.370 -07:00 0098650287 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084624, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324c700000d62, +Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_Failed_Attempts 0001969868 1 0 2014-08-07 00:00:19.371 -07:00 0098650288 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084624, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-AD-A3, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324c700000d62, EndPointMACAddress=00-23-33-41-AD-A3, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=31=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969869 1 0 2014-08-07 00:00:19.485 -07:00 0098650295 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=2, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=bbobinde, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.249.75, Class=CACS:892346ab000055eaa422e353:npf-sjca-pdp01/195491152/2084126, Called-Station-ID=ec-44-76-80-bc-70, Calling-Station-ID=94-94-26-07-19-b4, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=24601, Acct-Output-Octets=210110, Acct-Session-Id=53e322a6/94:94:26:07:19:b4/12257, Acct-Authentic=RADIUS, Acct-Session-Time=349, Acct-Input-Packets=281, Acct-Output-Packets=353, Acct-Terminate-Cause=Idle Timeout, undefined-52= -Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969870 1 0 2014-08-07 00:00:19.838 -07:00 0098650301 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084625, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_Failed_Attempts 0001969871 1 0 2014-08-07 00:00:19.838 -07:00 0098650302 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084625, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12808, Step=12810, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap2, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=30=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:08 10.42.7.63 Aug 7 00:00:20 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969872 1 0 2014-08-07 00:00:20.554 -07:00 0098650319 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=4, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=frsung, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.250.89, Class=CACS:892346ab000055f20124e353:npf-sjca-pdp01/195491152/2084874, Called-Station-ID=00-26-cb-ba-90-70, Calling-Station-ID=10-68-3f-75-35-0c, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Start, Acct-Session-Id=53e32404/10:68:3f:75:35:0c/12262, Acct-Authentic=RADIUS, Event-Timestamp=1407394820, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, cisco-av-pair=audit-session-id=892346ab000055f20124e353, cisco-av-pair=dhcp-option=host-name=android-97981535d1e7a422, cisco-av-pair=dhcp-option=dhcp-class-identifier=dhcpcd-5.5.6, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2084894, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#OEAP, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=892346ab000055f20124e353, AllowedProtocolMatchedRule=Dot1X, Location=Location#All Locations#OEAP, Device Type=Device Type#All Device Types#Wireless#WLC, -Aug 6 16:41:09 10.42.7.63 Aug 7 00:00:21 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969873 1 0 2014-08-07 00:00:21.069 -07:00 0098650386 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=49, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f1fd23e353\;42SessionID=npf-sjca-pdp01/195491152/2084872\;, Called-Station-ID=002333c45b90:alpha_phone, Calling-Station-ID=0018ba78c59d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055f1fd23e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084872, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000055f1fd23e353, -Aug 6 16:41:10 10.34.84.145 Aug 7 00:00:22 stage-pdp01 CISE_System_Statistics 0000024615 1 0 2014-08-07 00:00:22.425 -07:00 0000287003 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=113, OperationCounters=Counter=4_ProbeDnsEndpointLookup:7\,4_EndpointsProfiled:6\,4_EndpointsDeleted:1\,4_ProbeRadiusEndpointsDetected:3\,4_IosSensorDhcpDetected:1\,2_PolicySet-Stage_SJCM_hotspot.Allowed_Protocol-Stage_SJCM1_DRW.Identity-Default:1\,4_EndpointsCached:2\,2_PolicySet-Stage_SJCM_Guest_Selfsponsor.Allowed_Protocol-Stage_SelfSponosr_Auth.Identity-Default:1\,4_ARPRetrieve:58\,4_EndpointsRetrievedFromOwner:2\,4_ProbeDnsEndpointsDetected:1\,9_PolicySet-Stage_SJCM_Guest_Selfsponsor.Global_Exception-Alpha_Guest_Registration:1\,2_PolicySet-Stage_SJCM_hotspot.Allowed_Protocol-Stage_SJCM1_DRW:2\,4_ProbeSnmpQueryEndpointsDetected:40\,4_ProfilerCacheHits:10\,2_PolicySet-Stage_SJCM_Guest_Selfsponsor.Allowed_Protocol-Stage_SelfSponosr_Auth:1\,8_PolicySet-Stage_SJCM_Guest_Selfsponsor:1\,4_EndpointsUpdated:58\,4_EndpointsDetected:44\,4_SnmpQueriesPerformed:2\,4_RemoteUpdate:2\,4_IosSensorHttpDetected:1\,4_ARPUpdate:2\,9_PolicySet-Stage_SJCM_hotspot.Global_Exception-SJCM-stage-drw-redirect:1\,4_ProbeDnsEndpointLookupAvert:11\,4_ARPMiss:30\,4_ARPSave:2\,4_ARPHit:28\,4_RemoteUpdateAverted:2\,8_PolicySet-Stage_SJCM_hotspot:2\,4_RadiusPacketsReceived:33\,4_LocalEndPointReads:52, -Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969874 1 0 2014-08-07 00:00:22.437 -07:00 0098650459 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=118, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084881\;, Called-Station-ID=64-d9-89-42-23-50:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084881, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969875 1 0 2014-08-07 00:00:22.767 -07:00 0098650499 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084638, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, -Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_Failed_Attempts 0001969876 1 0 2014-08-07 00:00:22.767 -07:00 0098650500 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084638, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap6, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:11 10.42.7.63 Aug 7 00:00:23 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969877 1 0 2014-08-07 00:00:23.610 -07:00 0098650501 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084639, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, -Aug 6 16:41:11 10.42.7.63 Aug 7 00:00:23 npf-sjca-pdp01 CISE_Failed_Attempts 0001969878 1 0 2014-08-07 00:00:23.611 -07:00 0098650502 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084639, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap6, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969870 1 0 2014-08-07 00:00:19.838 -07:00 0098650301 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084625, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:07 10.42.7.63 Aug 7 00:00:19 npf-sjca-pdp01 CISE_Failed_Attempts 0001969871 1 0 2014-08-07 00:00:19.838 -07:00 0098650302 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084625, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12805, Step=12806, Step=12808, Step=12810, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap2, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=30=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:08 10.42.7.63 Aug 7 00:00:20 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969872 1 0 2014-08-07 00:00:20.554 -07:00 0098650319 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=4, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=frsung, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.250.89, Class=CACS:892346ab000055f20124e353:npf-sjca-pdp01/195491152/2084874, Called-Station-ID=00-26-cb-ba-90-70, Calling-Station-ID=10-68-3f-75-35-0c, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Start, Acct-Session-Id=53e32404/10:68:3f:75:35:0c/12262, Acct-Authentic=RADIUS, Event-Timestamp=1407394820, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, cisco-av-pair=audit-session-id=892346ab000055f20124e353, cisco-av-pair=dhcp-option=host-name=android-97981535d1e7a422, cisco-av-pair=dhcp-option=dhcp-class-identifier=dhcpcd-5.5.6, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2084894, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#OEAP, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=892346ab000055f20124e353, AllowedProtocolMatchedRule=Dot1X, Location=Location#All Locations#OEAP, Device Type=Device Type#All Device Types#Wireless#WLC, +Aug 6 16:41:09 10.42.7.63 Aug 7 00:00:21 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969873 1 0 2014-08-07 00:00:21.069 -07:00 0098650386 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=171.70.35.137, Device Port=32770, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=49, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f1fd23e353\;42SessionID=npf-sjca-pdp01/195491152/2084872\;, Called-Station-ID=002333c45b90:alpha_phone, Calling-Station-ID=0018ba78c59d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, cisco-av-pair=audit-session-id=892346ab000055f1fd23e353, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084872, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=892346ab000055f1fd23e353, +Aug 6 16:41:10 10.34.84.145 Aug 7 00:00:22 stage-pdp01 CISE_System_Statistics 0000024615 1 0 2014-08-07 00:00:22.425 -07:00 0000287003 70011 NOTICE System-Stats: ISE Counters, ConfigVersionId=113, OperationCounters=Counter=4_ProbeDnsEndpointLookup:7\,4_EndpointsProfiled:6\,4_EndpointsDeleted:1\,4_ProbeRadiusEndpointsDetected:3\,4_IosSensorDhcpDetected:1\,2_PolicySet-Stage_SJCM_hotspot.Allowed_Protocol-Stage_SJCM1_DRW.Identity-Default:1\,4_EndpointsCached:2\,2_PolicySet-Stage_SJCM_Guest_Selfsponsor.Allowed_Protocol-Stage_SelfSponosr_Auth.Identity-Default:1\,4_ARPRetrieve:58\,4_EndpointsRetrievedFromOwner:2\,4_ProbeDnsEndpointsDetected:1\,9_PolicySet-Stage_SJCM_Guest_Selfsponsor.Global_Exception-Alpha_Guest_Registration:1\,2_PolicySet-Stage_SJCM_hotspot.Allowed_Protocol-Stage_SJCM1_DRW:2\,4_ProbeSnmpQueryEndpointsDetected:40\,4_ProfilerCacheHits:10\,2_PolicySet-Stage_SJCM_Guest_Selfsponsor.Allowed_Protocol-Stage_SelfSponosr_Auth:1\,8_PolicySet-Stage_SJCM_Guest_Selfsponsor:1\,4_EndpointsUpdated:58\,4_EndpointsDetected:44\,4_SnmpQueriesPerformed:2\,4_RemoteUpdate:2\,4_IosSensorHttpDetected:1\,4_ARPUpdate:2\,9_PolicySet-Stage_SJCM_hotspot.Global_Exception-SJCM-stage-drw-redirect:1\,4_ProbeDnsEndpointLookupAvert:11\,4_ARPMiss:30\,4_ARPSave:2\,4_ARPHit:28\,4_RemoteUpdateAverted:2\,8_PolicySet-Stage_SJCM_hotspot:2\,4_RadiusPacketsReceived:33\,4_LocalEndPointReads:52, +Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969874 1 0 2014-08-07 00:00:22.437 -07:00 0098650459 12117 WARN EAP: EAP-FAST inner method finished with failure, ConfigVersionId=133, Device IP Address=10.34.149.5, Device Port=1645, DestinationIPAddress=10.42.7.63, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=118, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449, State=37CPMSessionID=0a22950553e3214500007ec0\;42SessionID=npf-sjca-pdp01/195491152/2084881\;, Called-Station-ID=64-d9-89-42-23-50:alpha_phone, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22950553e3214500007ec0, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone, Airespace-Wlan-Id=2, AcsSessionID=npf-sjca-pdp01/195491152/2084881, SelectedAccessService=Default Network Access, DetailedInfo=Invalid username or password specified\, Retry is allowed, EapTunnel=EAP-FAST, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969875 1 0 2014-08-07 00:00:22.767 -07:00 0098650499 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084638, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3222a00007ec2, +Aug 6 16:41:10 10.42.7.63 Aug 7 00:00:22 npf-sjca-pdp01 CISE_Failed_Attempts 0001969876 1 0 2014-08-07 00:00:22.767 -07:00 0098650500 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084638, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-D7-93, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap6, CPMSessionID=0a22950553e3222a00007ec2, EndPointMACAddress=00-23-33-41-D7-93, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:11 10.42.7.63 Aug 7 00:00:23 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969877 1 0 2014-08-07 00:00:23.610 -07:00 0098650501 12930 WARN Failed-Attempt: Supplicant stopped responding to ISE after sending it the first PEAP message, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084639, SelectedAccessService=Default Network Access, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22950553e3214500007ec0, +Aug 6 16:41:11 10.42.7.63 Aug 7 00:00:23 npf-sjca-pdp01 CISE_Failed_Attempts 0001969878 1 0 2014-08-07 00:00:23.611 -07:00 0098650502 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.149.5, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084639, SelectedAccessService=Default Network Access, FailureReason=12930 Supplicant stopped responding to ISE after sending it the first PEAP message, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=12930, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_22_SW1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=PEAP, User-Name=anonymous, NAS-IP-Address=10.34.149.5, NAS-Port=60000, Calling-Station-ID=00-23-33-41-78-96, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap6, CPMSessionID=0a22950553e3214500007ec0, EndPointMACAddress=00-23-33-41-78-96, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=14=120000, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, Aug 6 16:41:12 10.42.7.63 Aug 7 00:00:24 npf-sjca-pdp01 CISE_Passed_Authentications 0001969879 1 0 2014-08-07 00:00:24.156 -07:00 0098650623 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=johblum, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000052ebd5d4e253\;42SessionID=npf-sjca-pdp01/195491152/2084897\;, Called-Station-ID=0019078cd910:alpha_phone, Calling-Station-ID=001bd4582830, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:41:12 10.42.7.63 Aug 7 00:00:24 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969880 1 0 2014-08-07 00:00:24.301 -07:00 0098650630 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=3, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=johblum, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.118.252, Class=CACS:892346ab000052ebd5d4e253:npf-sjca-pdp01/195491152/2084897, Called-Station-ID=00-19-07-8c-d9-10, Calling-Station-ID=00-1b-d4-58-28-30, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e2d551/00:1b:d4:58:28:30/11778, Acct-Authentic=RADIUS, Acct-Session-Time=20152, Acct-Input-Packets=0, Acct-Output-Packets=0, undefined-52= -Aug 6 16:41:18 10.42.8.44 Aug 7 00:00:30 npf-sjca-mnt02 CISE_System_Statistics 0000008867 1 0 2014-08-07 00:00:30.082 -07:00 0000010361 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=133, SysStatsUtilizationCpu=0.60%, SysStatsUtilizationNetwork=eth0: rcvd = 1011100\; sent = 152992 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=23.89%, SysStatsUtilizationDiskIO=0.08%, SysStatsUtilizationDiskSpace=26% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.03, SysStatsCpuCount=8, SysStatsProcessMemoryMB=7577, -Aug 6 16:41:18 10.42.8.44 Aug 7 00:00:30 npf-sjca-mnt02 CISE_System_Statistics 0000008868 1 0 2014-08-07 00:00:30.082 -07:00 0000010362 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=133, SysStatsAcsProcessHealth= Database Listener=running\, PID: 17778\; Database Server=running\, number of processes: 32\; Application Server=running\, PID: 32590\; Profiler Database=running\, PID: 20960\; AD Connector=running\, PID: 4474\; M&T Session Database=running\, PID: 29722\; M&T Log Collector=running\, PID: 29819\; M&T Log Processor=running\, PID: 29866\; Certificate Authority Service=disabled\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, +Aug 6 16:41:18 10.42.8.44 Aug 7 00:00:30 npf-sjca-mnt02 CISE_System_Statistics 0000008867 1 0 2014-08-07 00:00:30.082 -07:00 0000010361 70000 NOTICE System-Stats: ISE Utilization, ConfigVersionId=133, SysStatsUtilizationCpu=0.60%, SysStatsUtilizationNetwork=eth0: rcvd = 1011100\; sent = 152992 \;rcvd_dropped = 0\; sent_dropped = 0, SysStatsUtilizationMemory=23.89%, SysStatsUtilizationDiskIO=0.08%, SysStatsUtilizationDiskSpace=26% /, SysStatsUtilizationDiskSpace=10% /boot, SysStatsUtilizationDiskSpace=2% /localdisk, SysStatsUtilizationDiskSpace=7% /storedconfig, SysStatsUtilizationDiskSpace=2% /tmp, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, SysStatsUtilizationLoadAvg=0.03, SysStatsCpuCount=8, SysStatsProcessMemoryMB=7577, +Aug 6 16:41:18 10.42.8.44 Aug 7 00:00:30 npf-sjca-mnt02 CISE_System_Statistics 0000008868 1 0 2014-08-07 00:00:30.082 -07:00 0000010362 70001 NOTICE System-Stats: ISE Process Health, ConfigVersionId=133, SysStatsAcsProcessHealth= Database Listener=running\, PID: 17778\; Database Server=running\, number of processes: 32\; Application Server=running\, PID: 32590\; Profiler Database=running\, PID: 20960\; AD Connector=running\, PID: 4474\; M&T Session Database=running\, PID: 29722\; M&T Log Collector=running\, PID: 29819\; M&T Log Processor=running\, PID: 29866\; Certificate Authority Service=disabled\; pxGrid Infrastructure Service=disabled\; pxGrid Publisher Subscriber Service=disabled\; pxGrid Connection Manager=disabled\; pxGrid Controller=disabled\; Identity Mapping Service=disabled, Aug 6 16:41:20 10.42.7.63 Aug 7 00:00:32 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969881 1 0 2014-08-07 00:00:32.134 -07:00 0098650656 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=4, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=host/LLIM-WS01.cisco.com, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.248.215, Class=CACS:892346ab0000545b1bfae253:npf-sjca-pdp01/195491152/2081660, Called-Station-ID=00-26-cb-ba-9c-60, Calling-Station-ID=24-77-03-e0-98-7c, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e2fa1d/24:77:03:e0:98:7c/12012, Acct-Authentic=RADIUS, Acct-Session-Time=10739, Acct-Input-Packets=0, Acct-Output-Packets=0, Acct-Terminate-Cause=Service Unavailable, undefined-52= Aug 6 16:41:21 10.42.7.63 Aug 7 00:00:33 npf-sjca-pdp01 CISE_Passed_Authentications 0001969882 1 0 2014-08-07 00:00:33.184 -07:00 0098650829 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=johblum, Protocol=Radius, RequestLatency=22, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000052ebd5d4e253\;42SessionID=npf-sjca-pdp01/195491152/2084909\;, Called-Station-ID=0019078cd910:alpha_phone, Calling-Station-ID=001bd4582830, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:41:21 10.42.7.63 Aug 7 00:00:33 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969883 1 0 2014-08-07 00:00:33.334 -07:00 0098650887 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=2, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=johblum, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.118.252, Class=CACS:892346ab000052ebd5d4e253:npf-sjca-pdp01/195491152/2084909, Called-Station-ID=00-19-07-8c-d9-10, Calling-Station-ID=00-1b-d4-58-28-30, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e2d551/00:1b:d4:58:28:30/11778, Acct-Authentic=RADIUS, Acct-Session-Time=20161, Acct-Input-Packets=0, Acct-Output-Packets=0, undefined-52= Aug 6 16:41:21 10.42.7.63 Aug 7 00:00:33 npf-sjca-pdp01 CISE_Passed_Authentications 0001969884 1 0 2014-08-07 00:00:33.361 -07:00 0098650913 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=szcheng, Protocol=Radius, RequestLatency=20, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f31024e353\;42SessionID=npf-sjca-pdp01/195491152/2084910\;, Called-Station-ID=0023045b19a0:alpha, Calling-Station-ID=28cfe9131749, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= -Aug 6 16:41:22 10.42.7.63 Aug 7 00:00:34 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969885 1 0 2014-08-07 00:00:34.819 -07:00 0098650920 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=4, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=szcheng, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.250.43, Class=CACS:892346ab000055f31024e353:npf-sjca-pdp01/195491152/2084910, Called-Station-ID=00-23-04-5b-19-a0, Calling-Station-ID=28-cf-e9-13-17-49, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Start, Acct-Session-Id=53e32412/28:cf:e9:13:17:49/12263, Acct-Authentic=RADIUS, Event-Timestamp=1407394834, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, cisco-av-pair=audit-session-id=892346ab000055f31024e353, cisco-av-pair=dhcp-option=host-name=EXAMPLE, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2084912, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#OEAP, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=892346ab000055f31024e353, AllowedProtocolMatchedRule=Dot1X, Location=Location#All Locations#OEAP, Device Type=Device Type#All Device Types#Wireless#WLC, +Aug 6 16:41:22 10.42.7.63 Aug 7 00:00:34 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969885 1 0 2014-08-07 00:00:34.819 -07:00 0098650920 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=4, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=szcheng, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.250.43, Class=CACS:892346ab000055f31024e353:npf-sjca-pdp01/195491152/2084910, Called-Station-ID=00-23-04-5b-19-a0, Calling-Station-ID=28-cf-e9-13-17-49, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Start, Acct-Session-Id=53e32412/28:cf:e9:13:17:49/12263, Acct-Authentic=RADIUS, Event-Timestamp=1407394834, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, cisco-av-pair=audit-session-id=892346ab000055f31024e353, cisco-av-pair=dhcp-option=host-name=SZCHENG-M-802B, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2084912, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations#OEAP, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, CPMSessionID=892346ab000055f31024e353, AllowedProtocolMatchedRule=Dot1X, Location=Location#All Locations#OEAP, Device Type=Device Type#All Device Types#Wireless#WLC, Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Passed_Authentications 0001969886 1 0 2014-08-07 00:00:35.235 -07:00 0098650949 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=50, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEF7C76C05C4, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2084913, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEF7C76C05C4, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AEF7C76C05C4; Class=CACS:0A2250250007AEF7C76C05C4:npf-sjca-pdp01/195491152/2084913; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEF7C76C05C4&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=938f355367542944a24ffc4fe026550d; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969887 1 0 2014-08-07 00:00:35.342 -07:00 0098650950 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084656, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324d700000d64, -Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Failed_Attempts 0001969888 1 0 2014-08-07 00:00:35.342 -07:00 0098650951 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084656, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=31=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Failed_Attempts 0001969889 1 0 2014-08-07 00:00:35.877 -07:00 0098650952 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=pnirala, AcsSessionID=npf-sjca-pdp01/195491152/2084657, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, FailureReason=24408 User authentication against Active Directory failed since user has entered the wrong password, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607, Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013, Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061, Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965, Step=12105, Step=11006, Step=5411, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceName=EXAMPLE, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, StepLatency=105=120000, AD-Domain=cisco.com, AD-User-Candidate-Identities=pnirala@cisco.com, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD, StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD, StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=pnirala, StepData=75=cisco.com, StepData=76=cisco.com, StepData=77=icm.cisco.com\,Domain trust direction is one-way, StepData=78=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=79=partnet.cisco.com\,Domain trust direction is one-way, StepData=80=IL.NDS.COM\,Domain trust direction is one-way, StepData=81=UK.NDS.COM\,Domain trust direction is one-way, StepData=82=SN.local\,Domain trust direction is one-way, StepData=83=webex.local\,Domain trust direction is one-way, StepData=84=in.nds.com\,Domain trust direction is one-way, StepData=85=US.NDS.COM\,Domain trust direction is one-way, StepData=87=STATUS_WRONG_PASSWORD\,ERROR_INVALID_PASSWORD\,pnirala@cisco.com, StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, -Aug 6 16:41:24 10.34.84.145 Aug 7 00:00:36 stage-pdp01 CISE_Failed_Attempts 0000024616 1 0 2014-08-07 00:00:36.332 -07:00 0000287007 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19317, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:26 10.34.84.145 Aug 7 00:00:38 stage-pdp01 CISE_Failed_Attempts 0000024617 1 0 2014-08-07 00:00:38.336 -07:00 0000287011 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19318, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:28 10.34.84.145 Aug 7 00:00:40 stage-pdp01 CISE_Failed_Attempts 0000024618 1 0 2014-08-07 00:00:40.336 -07:00 0000287015 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19319, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:30 10.34.84.145 Aug 7 00:00:42 stage-pdp01 CISE_Failed_Attempts 0000024619 1 0 2014-08-07 00:00:42.340 -07:00 0000287019 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19320, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_RADIUS_Diagnostics 0001969887 1 0 2014-08-07 00:00:35.342 -07:00 0098650950 12933 WARN Failed-Attempt: Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, AcsSessionID=npf-sjca-pdp01/195491152/2084656, SelectedAccessService=Default Network Access, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, CPMSessionID=0a22964453e324d700000d64, +Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Failed_Attempts 0001969888 1 0 2014-08-07 00:00:35.342 -07:00 0098650951 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=anonymous, AcsSessionID=npf-sjca-pdp01/195491152/2084656, SelectedAccessService=Default Network Access, FailureReason=12933 Supplicant stopped responding to ISE during EAP-FAST tunnel establishment, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=12933, Step=5411, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, StepLatency=31=120001, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Failed_Attempts 0001969889 1 0 2014-08-07 00:00:35.877 -07:00 0098650952 5411 NOTICE Failed-Attempt: Supplicant stopped responding to ISE, ConfigVersionId=133, RadiusPacketType=Drop, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, UserName=pnirala, AcsSessionID=npf-sjca-pdp01/195491152/2084657, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default Network Access, FailureReason=24408 User authentication against Active Directory failed since user has entered the wrong password, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625, Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175, Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132, Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607, Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013, Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061, Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965, Step=12105, Step=11006, Step=5411, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC, User-Name=anonymous, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap7, CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52, EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, StepLatency=105=120000, AD-Domain=cisco.com, AD-User-Candidate-Identities=pnirala@cisco.com, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD, StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD, StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=pnirala, StepData=75=cisco.com, StepData=76=cisco.com, StepData=77=icm.cisco.com\,Domain trust direction is one-way, StepData=78=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=79=partnet.cisco.com\,Domain trust direction is one-way, StepData=80=IL.NDS.COM\,Domain trust direction is one-way, StepData=81=UK.NDS.COM\,Domain trust direction is one-way, StepData=82=SN.local\,Domain trust direction is one-way, StepData=83=webex.local\,Domain trust direction is one-way, StepData=84=in.nds.com\,Domain trust direction is one-way, StepData=85=US.NDS.COM\,Domain trust direction is one-way, StepData=87=STATUS_WRONG_PASSWORD\,ERROR_INVALID_PASSWORD\,pnirala@cisco.com, StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, +Aug 6 16:41:24 10.34.84.145 Aug 7 00:00:36 stage-pdp01 CISE_Failed_Attempts 0000024616 1 0 2014-08-07 00:00:36.332 -07:00 0000287007 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19317, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:26 10.34.84.145 Aug 7 00:00:38 stage-pdp01 CISE_Failed_Attempts 0000024617 1 0 2014-08-07 00:00:38.336 -07:00 0000287011 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19318, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:28 10.34.84.145 Aug 7 00:00:40 stage-pdp01 CISE_Failed_Attempts 0000024618 1 0 2014-08-07 00:00:40.336 -07:00 0000287015 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19319, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:30 10.34.84.145 Aug 7 00:00:42 stage-pdp01 CISE_Failed_Attempts 0000024619 1 0 2014-08-07 00:00:42.340 -07:00 0000287019 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19320, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, Aug 6 16:41:30 10.42.7.63 Aug 7 00:00:42 npf-sjca-pdp01 CISE_Passed_Authentications 0001969890 1 0 2014-08-07 00:00:42.926 -07:00 0098651095 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=kelai, Protocol=Radius, RequestLatency=27, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=kelai, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab0000551cab0ce353\;42SessionID=npf-sjca-pdp01/195491152/2084922\;, Called-Station-ID=0015c7aa45c0:alpha, Calling-Station-ID=5c0a5ba8a9c7, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:41:31 10.42.7.63 Aug 7 00:00:43 npf-sjca-pdp01 CISE_RADIUS_Accounting 0001969891 1 0 2014-08-07 00:00:43.000 -07:00 0098651102 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=133, Device IP Address=171.70.35.137, RequestLatency=3, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=kelai, NAS-IP-Address=171.70.35.137, NAS-Port=1, Framed-IP-Address=10.33.249.111, Class=CACS:892346ab0000551cab0ce353:npf-sjca-pdp01/195491152/2084922, Called-Station-ID=00-15-c7-aa-45-c0, Calling-Station-ID=5c-0a-5b-a8-a9-c7, NAS-Identifier=Cisco_cf:27:46, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=0, Acct-Output-Octets=0, Acct-Session-Id=53e30cad/5c:0a:5b:a8:a9:c7/12129, Acct-Authentic=RADIUS, Acct-Session-Time=5998, Acct-Input-Packets=0, Acct-Output-Packets=0, undefined-52= -Aug 6 16:41:32 10.34.84.145 Aug 7 00:00:44 stage-pdp01 CISE_Failed_Attempts 0000024620 1 0 2014-08-07 00:00:44.340 -07:00 0000287023 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19321, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:41:34 10.34.84.145 Aug 7 00:00:46 stage-pdp01 CISE_Failed_Attempts 0000024621 1 0 2014-08-07 00:00:46.344 -07:00 0000287027 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19322, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, -Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_Passed_Authentications 0000370852 1 0 2014-08-07 00:00:00.581 -07:00 0011266563 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=63, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270930\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:41:32 10.34.84.145 Aug 7 00:00:44 stage-pdp01 CISE_Failed_Attempts 0000024620 1 0 2014-08-07 00:00:44.340 -07:00 0000287023 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19321, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:41:34 10.34.84.145 Aug 7 00:00:46 stage-pdp01 CISE_Failed_Attempts 0000024621 1 0 2014-08-07 00:00:46.344 -07:00 0000287027 5405 NOTICE Failed-Attempt: RADIUS Request dropped, ConfigVersionId=113, Device IP Address=172.23.91.132, Device Port=32769, DestinationIPAddress=10.34.84.145, DestinationPort=1812, Protocol=Radius, User-Name=test, NAS-IP-Address=192.168.30.11, Service-Type=NAS Prompt, NAS-Identifier=Cisco_1b:e0:84, AcsSessionID=stage-pdp01/196593288/19322, FailureReason=11007 Could not locate Network Device or AAA Client, Step=11001, Step=11017, Step=11007, Step=5405, +Aug 6 16:40:48 10.42.7.64 Aug 7 00:00:00 npf-sjca-pdp02 CISE_Passed_Authentications 0000370852 1 0 2014-08-07 00:00:00.581 -07:00 0011266563 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=63, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270930\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:40:52 10.42.7.63 Aug 7 00:00:04 npf-sjca-pdp01 CISE_Passed_Authentications 0001969823 1 0 2014-08-07 00:00:04.338 -07:00 0098648223 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=58, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEF6C76B9093, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2084825, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEF6C76B9093, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AEF6C76B9093; Class=CACS:0A2250250007AEF6C76B9093:npf-sjca-pdp01/195491152/2084825; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEF6C76B9093&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=47ab1ee8a5eeb1d37d3194083abfeaa4; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:40:59 10.42.7.64 Aug 7 00:00:11 npf-sjca-pdp02 CISE_Passed_Authentications 0000370856 1 0 2014-08-07 00:00:11.093 -07:00 0011266671 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=43, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270933\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:40:59 10.42.7.64 Aug 7 00:00:11 npf-sjca-pdp02 CISE_Passed_Authentications 0000370856 1 0 2014-08-07 00:00:11.093 -07:00 0011266671 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=43, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdef53e323ef\;41SessionID=npf-sjca-pdp02/195481465/270933\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Passed_Authentications 0001969861 1 0 2014-08-07 00:00:18.392 -07:00 0098650111 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=mkrummen, Protocol=Radius, RequestLatency=30, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054f03809e353\;42SessionID=npf-sjca-pdp01/195491152/2084875\;, Called-Station-ID=0024c48d6e40:alpha_phone, Calling-Station-ID=001f9e8b6c9f, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:41:06 10.42.7.63 Aug 7 00:00:18 npf-sjca-pdp01 CISE_Passed_Authentications 0001969863 1 0 2014-08-07 00:00:18.485 -07:00 0098650153 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=frsung, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=frsung, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f20124e353\;42SessionID=npf-sjca-pdp01/195491152/2084874\;, Called-Station-ID=0026cbba9070:alpha, Calling-Station-ID=10683f75350c, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:41:12 10.42.7.63 Aug 7 00:00:24 npf-sjca-pdp01 CISE_Passed_Authentications 0001969879 1 0 2014-08-07 00:00:24.156 -07:00 0098650623 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=johblum, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000052ebd5d4e253\;42SessionID=npf-sjca-pdp01/195491152/2084897\;, Called-Station-ID=0019078cd910:alpha_phone, Calling-Station-ID=001bd4582830, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= @@ -217,7 +217,7 @@ Aug 6 16:41:21 10.42.7.63 Aug 7 00:00:33 npf-sjca-pdp01 CISE_Passed_Authentica Aug 6 16:41:23 10.42.7.63 Aug 7 00:00:35 npf-sjca-pdp01 CISE_Passed_Authentications 0001969886 1 0 2014-08-07 00:00:35.235 -07:00 0098650949 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=50, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEF7C76C05C4, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2084913, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEF7C76C05C4, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AEF7C76C05C4; Class=CACS:0A2250250007AEF7C76C05C4:npf-sjca-pdp01/195491152/2084913; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEF7C76C05C4&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=938f355367542944a24ffc4fe026550d; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:41:30 10.42.7.63 Aug 7 00:00:42 npf-sjca-pdp01 CISE_Passed_Authentications 0001969890 1 0 2014-08-07 00:00:42.926 -07:00 0098651095 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=kelai, Protocol=Radius, RequestLatency=27, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=kelai, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab0000551cab0ce353\;42SessionID=npf-sjca-pdp01/195491152/2084922\;, Called-Station-ID=0015c7aa45c0:alpha, Calling-Station-ID=5c0a5ba8a9c7, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:41:36 10.42.7.63 Aug 7 00:00:48 npf-sjca-pdp01 CISE_Passed_Authentications 0001969892 1 0 2014-08-07 00:00:48.027 -07:00 0098651227 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=belkhati, Protocol=Radius, RequestLatency=23, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055977018e353\;42SessionID=npf-sjca-pdp01/195491152/2084925\;, Called-Station-ID=00270d5fe0f0:alpha_phone, Calling-Station-ID=00233341f6f6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= -Aug 6 16:41:43 10.42.7.64 Aug 7 00:00:55 npf-sjca-pdp02 CISE_Passed_Authentications 0000370859 1 0 2014-08-07 00:00:55.611 -07:00 0011266780 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=hslai, Protocol=Radius, RequestLatency=72, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=hslai, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf053e32427\;41SessionID=npf-sjca-pdp02/195481465/270936\;, Called-Station-ID=a4-56-30-0e-44-70:alpha_example, Calling-Station-ID=24-a2-e1-3b-4b-cb, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:41:43 10.42.7.64 Aug 7 00:00:55 npf-sjca-pdp02 CISE_Passed_Authentications 0000370859 1 0 2014-08-07 00:00:55.611 -07:00 0011266780 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=hslai, Protocol=Radius, RequestLatency=72, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=hslai, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf053e32427\;41SessionID=npf-sjca-pdp02/195481465/270936\;, Called-Station-ID=a4-56-30-0e-44-70:alpha_byod, Calling-Station-ID=24-a2-e1-3b-4b-cb, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:41:45 10.42.7.63 Aug 7 00:00:57 npf-sjca-pdp01 CISE_Passed_Authentications 0001969899 1 0 2014-08-07 00:00:57.211 -07:00 0098651525 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=johblum, Protocol=Radius, RequestLatency=82, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000052ebd5d4e253\;42SessionID=npf-sjca-pdp01/195491152/2084939\;, Called-Station-ID=0019078cd910:alpha_phone, Calling-Station-ID=001bd4582830, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:41:45 10.42.7.63 Aug 7 00:00:57 npf-sjca-pdp01 CISE_Passed_Authentications 0001969903 1 0 2014-08-07 00:00:57.771 -07:00 0098651691 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=56, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEF9C76C61C8, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2084943, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEF9C76C61C8, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AEF9C76C61C8; Class=CACS:0A2250250007AEF9C76C61C8:npf-sjca-pdp01/195491152/2084943; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEF9C76C61C8&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=6b21ab7d3cb8bacfb4f0ef9b3b23b06d; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:41:50 10.42.7.63 Aug 7 00:01:02 npf-sjca-pdp01 CISE_Passed_Authentications 0001969914 1 0 2014-08-07 00:01:02.919 -07:00 0098652398 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=shpoon, Protocol=Radius, RequestLatency=35, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab0000556efe14e353\;42SessionID=npf-sjca-pdp01/195491152/2084951\;, Called-Station-ID=0023045b1920:alpha_phone, Calling-Station-ID=0024975b4a91, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= @@ -227,23 +227,23 @@ Aug 6 16:42:16 10.42.7.63 Aug 7 00:01:28 npf-sjca-pdp01 CISE_Passed_Authentica Aug 6 16:42:20 10.42.7.63 Aug 7 00:01:32 npf-sjca-pdp01 CISE_Passed_Authentications 0001969938 1 0 2014-08-07 00:01:32.022 -07:00 0098653606 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=belkhati, Protocol=Radius, RequestLatency=23, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f54b24e353\;42SessionID=npf-sjca-pdp01/195491152/2085015\;, Called-Station-ID=00270d5fe0f0:alpha_phone, Calling-Station-ID=00233341f6f6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:42:37 10.42.7.63 Aug 7 00:01:49 npf-sjca-pdp01 CISE_Passed_Authentications 0001969966 1 0 2014-08-07 00:01:49.796 -07:00 0098654490 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=selinay, Protocol=Radius, RequestLatency=33, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054366df7e253\;42SessionID=npf-sjca-pdp01/195491152/2085048\;, Called-Station-ID=002304cd1f10:alpha_phone, Calling-Station-ID=0026cb006812, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:42:38 10.42.7.63 Aug 7 00:01:50 npf-sjca-pdp01 CISE_Passed_Authentications 0001969969 1 0 2014-08-07 00:01:50.018 -07:00 0098654556 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=56, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEFDC76D2D28, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085051, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEFDC76D2D28, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AEFDC76D2D28; Class=CACS:0A2250250007AEFDC76D2D28:npf-sjca-pdp01/195491152/2085051; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEFDC76D2D28&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=7f451caa7913180328cb8377d51953ee; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:42:39 10.42.7.64 Aug 7 00:01:51 npf-sjca-pdp02 CISE_Passed_Authentications 0000370868 1 0 2014-08-07 00:01:51.871 -07:00 0011266965 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=83, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270943\;, Called-Station-ID=b8-62-1f-44-92-80:alpha_example, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:42:39 10.42.7.64 Aug 7 00:01:51 npf-sjca-pdp02 CISE_Passed_Authentications 0000370868 1 0 2014-08-07 00:01:51.871 -07:00 0011266965 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=83, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270943\;, Called-Station-ID=b8-62-1f-44-92-80:alpha_byod, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:42:40 10.42.7.63 Aug 7 00:01:52 npf-sjca-pdp01 CISE_Passed_Authentications 0001969973 1 0 2014-08-07 00:01:52.426 -07:00 0098654711 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jmandana, Protocol=Radius, RequestLatency=28, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=jmandana, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f44124e353\;42SessionID=npf-sjca-pdp01/195491152/2084992\;, Called-Station-ID=3cce731a29b0:alpha, Calling-Station-ID=48d705c75f05, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:42:48 10.42.7.63 Aug 7 00:02:00 npf-sjca-pdp01 CISE_Passed_Authentications 0001969978 1 0 2014-08-07 00:02:00.477 -07:00 0098655023 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=rriverol, Protocol=Radius, RequestLatency=32, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=rriverol, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f66724e353\;42SessionID=npf-sjca-pdp01/195491152/2085072\;, Called-Station-ID=00270d607400:alpha, Calling-Station-ID=7cd1c3926792, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:42:49 10.42.7.63 Aug 7 00:02:01 npf-sjca-pdp01 CISE_Passed_Authentications 0001969983 1 0 2014-08-07 00:02:01.931 -07:00 0098655289 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=belkhati, Protocol=Radius, RequestLatency=23, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f54b24e353\;42SessionID=npf-sjca-pdp01/195491152/2085079\;, Called-Station-ID=00270d5fe0f0:alpha_phone, Calling-Station-ID=00233341f6f6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= -Aug 6 16:42:54 10.42.7.64 Aug 7 00:02:06 npf-sjca-pdp02 CISE_Passed_Authentications 0000370872 1 0 2014-08-07 00:02:06.118 -07:00 0011267109 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=62, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270947\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_example, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:42:54 10.42.7.64 Aug 7 00:02:06 npf-sjca-pdp02 CISE_Passed_Authentications 0000370872 1 0 2014-08-07 00:02:06.118 -07:00 0011267109 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=62, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270947\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_byod, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:43:03 10.42.7.63 Aug 7 00:02:15 npf-sjca-pdp01 CISE_Passed_Authentications 0001970011 1 0 2014-08-07 00:02:15.266 -07:00 0098656460 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=nikmathu, Protocol=Radius, RequestLatency=29, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=nikmathu, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f87624e353\;42SessionID=npf-sjca-pdp01/195491152/2085110\;, Called-Station-ID=001d70596ee0:alpha, Calling-Station-ID=34c059eaa2e6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:43:04 10.42.7.63 Aug 7 00:02:16 npf-sjca-pdp01 CISE_Passed_Authentications 0001970014 1 0 2014-08-07 00:02:16.745 -07:00 0098656593 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=nikmathu, Protocol=Radius, RequestLatency=27, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=nikmathu, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f87624e353\;42SessionID=npf-sjca-pdp01/195491152/2085115\;, Called-Station-ID=001d70596ee0:alpha, Calling-Station-ID=34c059eaa2e6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= -Aug 6 16:43:12 10.42.7.64 Aug 7 00:02:24 npf-sjca-pdp02 CISE_Passed_Authentications 0000370876 1 0 2014-08-07 00:02:24.646 -07:00 0011267243 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.72.127, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/salfi-pc.cisco.com, Protocol=Radius, RequestLatency=88, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=169.254.53.87, Framed-MTU=1500, State=37CPMSessionID=0A38487F00000397BDA7BCAC\;41SessionID=npf-sjca-pdp02/195481465/270950\;, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, AcsSessionID=npf-sjca-pdp02/195481465/270950, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Wired_prePosture, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24431, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24470, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=15036, Step=15048, Step=15048, Step=24433, Step=24355, Step=24435, Step=24355, Step=24458, Step=24100, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=NTN-Wired-Pre_Posture, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0A38487F00000397BDA7BCAC, EndPointMACAddress=3C-97-0E-C3-F8-F1, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows8-Workstation, ISEPolicySetName=Location_NTN_Wired, AllowedProtocolMatchedRule=NTN_Wired_Dot1x, IdentitySelectionMatchedRule=Default, StepLatency=41=15252, AD-Domain=cisco.com, AD-Host-Resolved-Identities=SALFI-PC$@cisco.com, AD-Host-Candidate-Identities=SALFI-PC$@cisco.com, AD-Host-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10=NTN_Wired_Dot1x, StepData=73=EAP_TLS_BYOD, StepData=74=CiscoAD, StepData=75=CiscoAD, StepData=76=host/salfi-pc.cisco.com, StepData=77=cisco.com, StepData=78=cisco.com, StepData=80=SALFI-PC$@cisco.com, StepData=81=CiscoAD, StepData=99= Radius.Service-Type, StepData=100= Radius.NAS-Port-Type, StepData=101=CiscoAD, StepData=102=cisco.com, StepData=103=CiscoAD, StepData=104=cisco.com, StepData=105=CiscoAD, StepData=106=CiscoAD, StepData=107= CiscoAD.ExternalGroups, StepData=108= Session.PostureStatus, StepData=109= DEVICE.Device Type, StepData=110=NTN-Wired-Pre_Posture, AD-Host-Resolved-DNs=CN=SALFI-PC\,OU=Workstations\,OU=Cisco Computers\,DC=cisco\,DC=com, AD-Host-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Computers, AD-Host-NetBios-Name=CISCO, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, IdentityAccessRestricted=false, ExternalGroups=s-1-5-21-1708537768-1303643608-725345543-515, Response={State=ReauthSession:0A38487F00000397BDA7BCAC; Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270950; EAP-Key-Name=19:53:e3:24:6f:39:8e:cd:83:2b:c4:fc:c4:3f:08:e6:0c:6a:02:d7:e2:67:76:ea:4d:63:35:61:ac:4b:2a:ec:01:53:e3:24:6f:ad:5f:72:5d:da:55:6f:f5:e6:68:a9:ef:bb:9f:dc:21:0d:7c:c6:29:5a:d3:53:3b:3c:96:4b:ab; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf.example.com:8443/portal/gateway?sessionId=0A38487F00000397BDA7BCAC&portal=0303a6c2-121d-11e4-91bc-005056811954&action=cpp&token=f593ac62cd614a475bbe3580d05b16c9; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, +Aug 6 16:43:12 10.42.7.64 Aug 7 00:02:24 npf-sjca-pdp02 CISE_Passed_Authentications 0000370876 1 0 2014-08-07 00:02:24.646 -07:00 0011267243 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.72.127, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/salfi-pc.cisco.com, Protocol=Radius, RequestLatency=88, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=169.254.53.87, Framed-MTU=1500, State=37CPMSessionID=0A38487F00000397BDA7BCAC\;41SessionID=npf-sjca-pdp02/195481465/270950\;, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, AcsSessionID=npf-sjca-pdp02/195481465/270950, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Wired_prePosture, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24431, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24470, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=15036, Step=15048, Step=15048, Step=24433, Step=24355, Step=24435, Step=24355, Step=24458, Step=24100, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=NTN-Wired-Pre_Posture, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0A38487F00000397BDA7BCAC, EndPointMACAddress=3C-97-0E-C3-F8-F1, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows8-Workstation, ISEPolicySetName=Location_NTN_Wired, AllowedProtocolMatchedRule=NTN_Wired_Dot1x, IdentitySelectionMatchedRule=Default, StepLatency=41=15252, AD-Domain=cisco.com, AD-Host-Resolved-Identities=SALFI-PC$@cisco.com, AD-Host-Candidate-Identities=SALFI-PC$@cisco.com, AD-Host-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10=NTN_Wired_Dot1x, StepData=73=EAP_TLS_BYOD, StepData=74=CiscoAD, StepData=75=CiscoAD, StepData=76=host/salfi-pc.cisco.com, StepData=77=cisco.com, StepData=78=cisco.com, StepData=80=SALFI-PC$@cisco.com, StepData=81=CiscoAD, StepData=99= Radius.Service-Type, StepData=100= Radius.NAS-Port-Type, StepData=101=CiscoAD, StepData=102=cisco.com, StepData=103=CiscoAD, StepData=104=cisco.com, StepData=105=CiscoAD, StepData=106=CiscoAD, StepData=107= CiscoAD.ExternalGroups, StepData=108= Session.PostureStatus, StepData=109= DEVICE.Device Type, StepData=110=NTN-Wired-Pre_Posture, AD-Host-Resolved-DNs=CN=SALFI-PC\,OU=Workstations\,OU=Cisco Computers\,DC=cisco\,DC=com, AD-Host-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Computers, AD-Host-NetBios-Name=CISCO, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, IdentityAccessRestricted=false, ExternalGroups=s-1-5-21-1708537768-1303643608-725345543-515, Response={State=ReauthSession:0A38487F00000397BDA7BCAC; Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270950; EAP-Key-Name=19:53:e3:24:6f:39:8e:cd:83:2b:c4:fc:c4:3f:08:e6:0c:6a:02:d7:e2:67:76:ea:4d:63:35:61:ac:4b:2a:ec:01:53:e3:24:6f:ad:5f:72:5d:da:55:6f:f5:e6:68:a9:ef:bb:9f:dc:21:0d:7c:c6:29:5a:d3:53:3b:3c:96:4b:ab; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp02.cisco.com:8443/portal/gateway?sessionId=0A38487F00000397BDA7BCAC&portal=0303a6c2-121d-11e4-91bc-005056811954&action=cpp&token=f593ac62cd614a475bbe3580d05b16c9; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, Aug 6 16:43:14 10.42.7.63 Aug 7 00:02:26 npf-sjca-pdp01 CISE_Passed_Authentications 0001970027 1 0 2014-08-07 00:02:26.967 -07:00 0098656894 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=kelai, Protocol=Radius, RequestLatency=37, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=kelai, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab0000551cab0ce353\;42SessionID=npf-sjca-pdp01/195491152/2085130\;, Called-Station-ID=0015c7aa45c0:alpha, Calling-Station-ID=5c0a5ba8a9c7, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:43:15 10.42.7.63 Aug 7 00:02:27 npf-sjca-pdp01 CISE_Passed_Authentications 0001970030 1 0 2014-08-07 00:02:27.940 -07:00 0098657003 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=51, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AEFFC76DC158, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085132, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AEFFC76DC158, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AEFFC76DC158; Class=CACS:0A2250250007AEFFC76DC158:npf-sjca-pdp01/195491152/2085132; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AEFFC76DC158&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=cd2f533457b8b725372f98d8629d40b8; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:43:16 10.42.7.63 Aug 7 00:02:28 npf-sjca-pdp01 CISE_Passed_Authentications 0001970031 1 0 2014-08-07 00:02:28.966 -07:00 0098657037 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=56, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF00C76DC584, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085135, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF00C76DC584, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF00C76DC584; Class=CACS:0A2250250007AF00C76DC584:npf-sjca-pdp01/195491152/2085135; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF00C76DC584&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=daaf405eaaea7ef6a463479b19aa7e50; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:43:19 10.42.7.64 Aug 7 00:02:31 npf-sjca-pdp02 CISE_Passed_Authentications 0000370881 1 0 2014-08-07 00:02:31.547 -07:00 0011267347 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=49, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf153e32487\;41SessionID=npf-sjca-pdp02/195481465/270954\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:43:19 10.42.7.64 Aug 7 00:02:31 npf-sjca-pdp02 CISE_Passed_Authentications 0000370881 1 0 2014-08-07 00:02:31.547 -07:00 0011267347 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=49, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf153e32487\;41SessionID=npf-sjca-pdp02/195481465/270954\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:43:33 10.42.7.63 Aug 7 00:02:45 npf-sjca-pdp01 CISE_Passed_Authentications 0001970046 1 0 2014-08-07 00:02:45.106 -07:00 0098657849 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jheitz, Protocol=Radius, RequestLatency=25, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=jheitz, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055fa9424e353\;42SessionID=npf-sjca-pdp01/195491152/2085171\;, Called-Station-ID=8cb64fa742d0:alpha, Calling-Station-ID=8cfababa11c7, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:43:34 10.42.7.63 Aug 7 00:02:46 npf-sjca-pdp01 CISE_Passed_Authentications 0001970047 1 0 2014-08-07 00:02:46.630 -07:00 0098657976 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jheitz, Protocol=Radius, RequestLatency=47, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=jheitz, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055fa9424e353\;42SessionID=npf-sjca-pdp01/195491152/2085172\;, Called-Station-ID=8cb64fa742d0:alpha, Calling-Station-ID=8cfababa11c7, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:43:46 10.42.7.63 Aug 7 00:02:58 npf-sjca-pdp01 CISE_Passed_Authentications 0001970058 1 0 2014-08-07 00:02:58.685 -07:00 0098658149 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=59, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF02C76E3688, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085186, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF02C76E3688, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF02C76E3688; Class=CACS:0A2250250007AF02C76E3688:npf-sjca-pdp01/195491152/2085186; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF02C76E3688&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=9fb12f81caa3c2fa529b2c45510f84c6; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:43:49 10.42.7.63 Aug 7 00:03:01 npf-sjca-pdp01 CISE_Passed_Authentications 0001970062 1 0 2014-08-07 00:03:01.008 -07:00 0098658323 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=belkhati, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f54b24e353\;42SessionID=npf-sjca-pdp01/195491152/2085196\;, Called-Station-ID=00270d5fe0f0:alpha_phone, Calling-Station-ID=00233341f6f6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= -Aug 6 16:43:53 10.42.7.64 Aug 7 00:03:05 npf-sjca-pdp02 CISE_Passed_Authentications 0000370889 1 0 2014-08-07 00:03:05.827 -07:00 0011267552 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=64, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270958\;, Called-Station-ID=70-10-5c-f3-36-60:alpha_example, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:43:53 10.42.7.64 Aug 7 00:03:05 npf-sjca-pdp02 CISE_Passed_Authentications 0000370889 1 0 2014-08-07 00:03:05.827 -07:00 0011267552 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=yshchory, Protocol=Radius, RequestLatency=64, NetworkDeviceName=NTN-WLC1, User-Name=yshchory, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045cd53e2be75\;41SessionID=npf-sjca-pdp02/195481465/270958\;, Called-Station-ID=70-10-5c-f3-36-60:alpha_byod, Calling-Station-ID=90-18-7c-7b-59-01, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:43:54 10.42.7.63 Aug 7 00:03:06 npf-sjca-pdp01 CISE_Passed_Authentications 0001970065 1 0 2014-08-07 00:03:06.883 -07:00 0098658432 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=52, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF03C76E59F0, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085198, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF03C76E59F0, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF03C76E59F0; Class=CACS:0A2250250007AF03C76E59F0:npf-sjca-pdp01/195491152/2085198; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF03C76E59F0&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=376c890d413803de9db7d905a350513e; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:43:55 10.42.7.64 Aug 7 00:03:07 npf-sjca-pdp02 CISE_Passed_Authentications 0000370893 1 0 2014-08-07 00:03:07.696 -07:00 0011267645 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.72.127, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/salfi-pc.cisco.com, Protocol=Radius, RequestLatency=77, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=10.56.111.14, Framed-MTU=1500, State=37CPMSessionID=0A38487F00000397BDA7BCAC\;41SessionID=npf-sjca-pdp02/195481465/270957\;, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A38487F00000397BDA7BCAC, AcsSessionID=npf-sjca-pdp02/195481465/270957, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Wired-PermitALL, SelectedAuthorizationProfiles=NTN01_Wired_WorkStations, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24431, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24470, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=15036, Step=15048, Step=15048, Step=24433, Step=24355, Step=24435, Step=24355, Step=24458, Step=24100, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=15016, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=NTN-Wired_Full_Access, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0A38487F00000397BDA7BCAC, EndPointMACAddress=3C-97-0E-C3-F8-F1, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows8-Workstation, ISEPolicySetName=Location_NTN_Wired, AllowedProtocolMatchedRule=NTN_Wired_Dot1x, IdentitySelectionMatchedRule=Default, StepLatency=41=15244, AD-Domain=cisco.com, AD-Host-Resolved-Identities=SALFI-PC$@cisco.com, AD-Host-Candidate-Identities=SALFI-PC$@cisco.com, AD-Host-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10=NTN_Wired_Dot1x, StepData=73=EAP_TLS_BYOD, StepData=74=CiscoAD, StepData=75=CiscoAD, StepData=76=host/salfi-pc.cisco.com, StepData=77=cisco.com, StepData=78=cisco.com, StepData=80=SALFI-PC$@cisco.com, StepData=81=CiscoAD, StepData=99= Radius.Service-Type, StepData=100= Radius.NAS-Port-Type, StepData=101=CiscoAD, StepData=102=cisco.com, StepData=103=CiscoAD, StepData=104=cisco.com, StepData=105=CiscoAD, StepData=106=CiscoAD, StepData=107= CiscoAD.ExternalGroups, StepData=108= DEVICE.Device Type, StepData=109=NTN-Wired_Full_Access, AD-Host-Resolved-DNs=CN=SALFI-PC\,OU=Workstations\,OU=Cisco Computers\,DC=cisco\,DC=com, AD-Host-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Computers, AD-Host-NetBios-Name=CISCO, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, PostureStatus=Compliant, IdentityAccessRestricted=false, ExternalGroups=s-1-5-21-1708537768-1303643608-725345543-515, Response={State=ReauthSession:0A38487F00000397BDA7BCAC; Class=CACS:0A38487F00000397BDA7BCAC:npf-sjca-pdp02/195481465/270957; EAP-Key-Name=19:53:e3:24:9a:d1:2c:21:d5:51:bf:68:7d:23:2b:69:2c:1c:36:28:5a:33:4b:45:ad:73:f6:fa:b7:03:7e:ae:e6:53:e3:24:9a:4e:21:e6:1a:07:93:95:f4:93:a3:7e:6a:d7:e1:cc:b9:0a:9d:5b:a0:ca:5e:d8:ae:b7:cb:4d:2e; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4f57e406; cisco-av-pair=cts:security-group-tag=7981-0; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=5; }, Aug 6 16:43:59 10.42.7.63 Aug 7 00:03:11 npf-sjca-pdp01 CISE_Passed_Authentications 0001970066 1 0 2014-08-07 00:03:11.722 -07:00 0098658583 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=mkrummen, Protocol=Radius, RequestLatency=34, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054f03809e353\;42SessionID=npf-sjca-pdp01/195491152/2085214\;, Called-Station-ID=0024c48d6e40:alpha_phone, Calling-Station-ID=001f9e8b6c9f, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= @@ -257,22 +257,22 @@ Aug 6 16:44:34 10.42.7.63 Aug 7 00:03:46 npf-sjca-pdp01 CISE_Passed_Authentica Aug 6 16:44:35 10.42.7.63 Aug 7 00:03:47 npf-sjca-pdp01 CISE_Passed_Authentications 0001970116 1 0 2014-08-07 00:03:47.549 -07:00 0098661078 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=shpoon, Protocol=Radius, RequestLatency=24, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab0000556efe14e353\;42SessionID=npf-sjca-pdp01/195491152/2085292\;, Called-Station-ID=0023045b1920:alpha_phone, Calling-Station-ID=0024975b4a91, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:44:44 10.42.7.63 Aug 7 00:03:56 npf-sjca-pdp01 CISE_Passed_Authentications 0001970133 1 0 2014-08-07 00:03:56.220 -07:00 0098661993 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=belkhati, Protocol=Radius, RequestLatency=20, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055f54b24e353\;42SessionID=npf-sjca-pdp01/195491152/2085313\;, Called-Station-ID=00270d5fe0f0:alpha_phone, Calling-Station-ID=00233341f6f6, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:44:45 10.42.7.63 Aug 7 00:03:57 npf-sjca-pdp01 CISE_Passed_Authentications 0001970138 1 0 2014-08-07 00:03:57.971 -07:00 0098662289 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=63, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF06C76F20E9, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085322, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF06C76F20E9, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF06C76F20E9; Class=CACS:0A2250250007AF06C76F20E9:npf-sjca-pdp01/195491152/2085322; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF06C76F20E9&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=257b844b0e6b3e9383182e99639cbfe1; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:44:49 10.42.7.64 Aug 7 00:04:01 npf-sjca-pdp02 CISE_Passed_Authentications 0000370906 1 0 2014-08-07 00:04:01.942 -07:00 0011267755 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=64.102.223.98, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=erwitkop, Protocol=Radius, RequestLatency=54, NetworkDeviceName=WNBU-rtp7-noca-oeapwlc1, User-Name=erwitkop, NAS-IP-Address=64.102.223.98, NAS-Port=13, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=4066df620000031d53e32152\;41SessionID=npf-sjca-pdp02/195481465/270966\;, Called-Station-ID=00-1b-8f-8a-5c-30:alpha_example, Calling-Station-ID=a8-86-dd-e9-65-96, NAS-Identifier=Cisco_7a:f7:03, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 100, undefined-89= -Aug 6 16:45:00 10.42.7.64 Aug 7 00:04:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370911 1 0 2014-08-07 00:04:12.543 -07:00 0011267864 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=48, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf153e32487\;41SessionID=npf-sjca-pdp02/195481465/270971\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:44:49 10.42.7.64 Aug 7 00:04:01 npf-sjca-pdp02 CISE_Passed_Authentications 0000370906 1 0 2014-08-07 00:04:01.942 -07:00 0011267755 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=64.102.223.98, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=erwitkop, Protocol=Radius, RequestLatency=54, NetworkDeviceName=WNBU-rtp7-noca-oeapwlc1, User-Name=erwitkop, NAS-IP-Address=64.102.223.98, NAS-Port=13, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=4066df620000031d53e32152\;41SessionID=npf-sjca-pdp02/195481465/270966\;, Called-Station-ID=00-1b-8f-8a-5c-30:alpha_byod, Calling-Station-ID=a8-86-dd-e9-65-96, NAS-Identifier=Cisco_7a:f7:03, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 100, undefined-89= +Aug 6 16:45:00 10.42.7.64 Aug 7 00:04:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370911 1 0 2014-08-07 00:04:12.543 -07:00 0011267864 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=48, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf153e32487\;41SessionID=npf-sjca-pdp02/195481465/270971\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= Aug 6 16:45:09 10.42.7.63 Aug 7 00:04:21 npf-sjca-pdp01 CISE_Passed_Authentications 0001970172 1 0 2014-08-07 00:04:21.322 -07:00 0098663773 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.32.37.6, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=frhinema, Protocol=Radius, RequestLatency=2, NetworkDeviceName=sjc14-22a-talwar, User-Name=anonymous, NAS-IP-Address=10.32.37.6, NAS-Port=13, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a2025060000006e53e31add\;42SessionID=npf-sjca-pdp01/195491152/2085375\;, Called-Station-ID=3c-08-f6-55-7f-70:ERG-Live-Alpha, Calling-Station-ID=f4-b7-e2-74-52-4e, NAS-Identifier=Cisco_fe:56:00, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 70, undefined-89= Aug 6 16:45:09 10.42.7.63 Aug 7 00:04:21 npf-sjca-pdp01 CISE_Passed_Authentications 0001970174 1 0 2014-08-07 00:04:21.521 -07:00 0098663809 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=50, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF07C76F7B15, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085377, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF07C76F7B15, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF07C76F7B15; Class=CACS:0A2250250007AF07C76F7B15:npf-sjca-pdp01/195491152/2085377; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF07C76F7B15&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=4aee9112021be6923726b74179360669; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:45:14 10.42.7.64 Aug 7 00:04:26 npf-sjca-pdp02 CISE_Passed_Authentications 0000370914 1 0 2014-08-07 00:04:26.299 -07:00 0011267964 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/istern.example.com, Protocol=Radius, RequestLatency=84, NetworkDeviceName=NTN-WLC1, User-Name=host/istern.example.com, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045d653e2c47d\;41SessionID=npf-sjca-pdp02/195481465/270974\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_example, Calling-Station-ID=24-77-03-f9-4e-cc, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:45:14 10.42.7.64 Aug 7 00:04:26 npf-sjca-pdp02 CISE_Passed_Authentications 0000370914 1 0 2014-08-07 00:04:26.299 -07:00 0011267964 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/ISTERN-WS02.cisco.com, Protocol=Radius, RequestLatency=84, NetworkDeviceName=NTN-WLC1, User-Name=host/ISTERN-WS02.cisco.com, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045d653e2c47d\;41SessionID=npf-sjca-pdp02/195481465/270974\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_byod, Calling-Station-ID=24-77-03-f9-4e-cc, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:45:16 10.42.7.63 Aug 7 00:04:28 npf-sjca-pdp01 CISE_Passed_Authentications 0001970183 1 0 2014-08-07 00:04:28.716 -07:00 0098664402 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=72, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF08C76F9621, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085388, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF08C76F9621, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF08C76F9621; Class=CACS:0A2250250007AF08C76F9621:npf-sjca-pdp01/195491152/2085388; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF08C76F9621&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=e6e80e20faff468fcba6255890d67bb3; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:45:35 10.42.7.63 Aug 7 00:04:47 npf-sjca-pdp01 CISE_Passed_Authentications 0001970198 1 0 2014-08-07 00:04:47.552 -07:00 0098664782 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=mkrao, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=mkrao, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055fbb324e353\;42SessionID=npf-sjca-pdp01/195491152/2085411\;, Called-Station-ID=08cc68b42050:alpha, Calling-Station-ID=d8d1cba0186d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:45:39 10.42.7.63 Aug 7 00:04:51 npf-sjca-pdp01 CISE_Passed_Authentications 0001970204 1 0 2014-08-07 00:04:51.381 -07:00 0098665179 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=mkrao, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=mkrao, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055fbb324e353\;42SessionID=npf-sjca-pdp01/195491152/2085423\;, Called-Station-ID=08cc68b42050:alpha, Calling-Station-ID=d8d1cba0186d, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:45:45 10.42.7.63 Aug 7 00:04:57 npf-sjca-pdp01 CISE_Passed_Authentications 0001970206 1 0 2014-08-07 00:04:57.375 -07:00 0098665255 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=51, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF0AC77007B5, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085435, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF0AC77007B5, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF0AC77007B5; Class=CACS:0A2250250007AF0AC77007B5:npf-sjca-pdp01/195491152/2085435; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF0AC77007B5&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=cd8173d87cdc48d5c223a6d1f0ac8cd1; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:45:55 10.42.7.63 Aug 7 00:05:07 npf-sjca-pdp01 CISE_Passed_Authentications 0001970208 1 0 2014-08-07 00:05:07.248 -07:00 0098665479 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=shahuja, Protocol=Radius, RequestLatency=27, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=shahuja, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055fe2225e353\;42SessionID=npf-sjca-pdp01/195491152/2085447\;, Called-Station-ID=3cce731a2410:alpha, Calling-Station-ID=68a86d1743da, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= -Aug 6 16:46:00 10.42.7.64 Aug 7 00:05:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370921 1 0 2014-08-07 00:05:12.246 -07:00 0011268015 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=134, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d753e2c4ad, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/270978, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d753e2c4ad, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d753e2c4ad; Class=CACS:0a388104000045d753e2c4ad:npf-sjca-pdp02/195481465/270978; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf.example.com:8443/portal/gateway?sessionId=0a388104000045d753e2c4ad&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=88f42913ab8d6d6c724e5707d7f73755; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, -Aug 6 16:46:00 10.42.7.64 Aug 7 00:05:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370922 1 0 2014-08-07 00:05:12.907 -07:00 0011268043 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=112, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d753e2c4ad, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/270979, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d753e2c4ad, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d753e2c4ad; Class=CACS:0a388104000045d753e2c4ad:npf-sjca-pdp02/195481465/270979; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf.example.com:8443/portal/gateway?sessionId=0a388104000045d753e2c4ad&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=81b7ea00e70c0fcb9f67bfcfc945972e; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, -Aug 6 16:46:04 10.42.7.63 Aug 7 00:05:16 npf-sjca-pdp01 CISE_Passed_Authentications 0001970221 1 0 2014-08-07 00:05:16.194 -07:00 0098665794 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jdoe, Protocol=Radius, RequestLatency=57, NetworkDeviceName=EXAMPLE, User-Name=jdoe, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-IP-Address=10.34.137.144, Framed-MTU=1449, State=37CPMSessionID=0a22964453e2ae150000038a\;42SessionID=npf-sjca-pdp01/195491152/2085471\;, Called-Station-ID=18-33-9d-71-aa-40:alpha, Calling-Station-ID=48-F8-B3-7B-E6-7C, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap9, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e2ae150000038a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2085471, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24343, Step=24402, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=24423, Step=15036, Step=24432, Step=24355, Step=24416, Step=24355, Step=24420, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, AuthorizationPolicyMatchedRule=Default, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e2ae150000038a, EndPointMACAddress=48-F8-B3-7B-E6-7C, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-User-Resolved-Identities=jdoe@cisco.com, AD-User-Candidate-Identities=jdoe@cisco.com, AD-User-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=72=EAP_TLS_BYOD, StepData=73=CiscoAD, StepData=74=CiscoAD, StepData=75=jdoe, StepData=76=cisco.com, StepData=77=cisco.com, StepData=78=icm.cisco.com\,Domain trust direction is one-way, StepData=79=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=80=partnet.cisco.com\,Domain trust direction is one-way, StepData=81=IL.NDS.COM\,Domain trust direction is one-way, StepData=82=UK.NDS.COM\,Domain trust direction is one-way, StepData=83=SN.local\,Domain trust direction is one-way, StepData=84=webex.local\,Domain trust direction is one-way, StepData=85=in.nds.com\,Domain trust direction is one-way, StepData=86=US.NDS.COM\,Domain trust direction is one-way, StepData=88=jdoe@cisco.com, StepData=89=CiscoAD, StepData=108=CiscoAD, StepData=109=cisco.com, StepData=110=CiscoAD, StepData=111=cisco.com, StepData=112=CiscoAD, StepData=113= CiscoAD.ExternalGroups, StepData=114= Radius.Service-Type, StepData=115= Radius.NAS-Port-Type, StepData=116= Session.Device-OS, StepData=117= Radius.Called-Station-ID, StepData=118=Default, AD-User-Resolved-DNs=CN=jdoe\,OU=Employees\,OU=Cisco Users\,DC=cisco\,DC=com, AD-User-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Users, AD-User-NetBios-Name=CISCO, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, IdentityAccessRestricted=false, Response={State=ReauthSession:0a22964453e2ae150000038a; Class=CACS:0a22964453e2ae150000038a:npf-sjca-pdp01/195491152/2085471; EAP-Key-Name=19:53:e3:25:2d:cb:fa:24:96:fb:fa:9a:43:df:39:70:ee:69:33:07:07:61:35:61:c2:c9:7f:81:48:89:11:0d:a3:53:e3:25:2c:61:63:3e:bd:03:4f:64:37:af:11:d5:1d:50:8a:6f:ab:32:b7:35:10:23:3b:30:c7:ed:35:3a:16; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, +Aug 6 16:46:00 10.42.7.64 Aug 7 00:05:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370921 1 0 2014-08-07 00:05:12.246 -07:00 0011268015 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=134, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d753e2c4ad, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/270978, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d753e2c4ad, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d753e2c4ad; Class=CACS:0a388104000045d753e2c4ad:npf-sjca-pdp02/195481465/270978; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf-sjca-pdp02.cisco.com:8443/portal/gateway?sessionId=0a388104000045d753e2c4ad&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=88f42913ab8d6d6c724e5707d7f73755; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, +Aug 6 16:46:00 10.42.7.64 Aug 7 00:05:12 npf-sjca-pdp02 CISE_Passed_Authentications 0000370922 1 0 2014-08-07 00:05:12.907 -07:00 0011268043 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=112, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d753e2c4ad, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/270979, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d753e2c4ad, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d753e2c4ad; Class=CACS:0a388104000045d753e2c4ad:npf-sjca-pdp02/195481465/270979; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf-sjca-pdp02.cisco.com:8443/portal/gateway?sessionId=0a388104000045d753e2c4ad&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=81b7ea00e70c0fcb9f67bfcfc945972e; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, +Aug 6 16:46:04 10.42.7.63 Aug 7 00:05:16 npf-sjca-pdp01 CISE_Passed_Authentications 0001970221 1 0 2014-08-07 00:05:16.194 -07:00 0098665794 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=karganes, Protocol=Radius, RequestLatency=57, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, User-Name=karganes, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-IP-Address=10.34.137.144, Framed-MTU=1449, State=37CPMSessionID=0a22964453e2ae150000038a\;42SessionID=npf-sjca-pdp01/195491152/2085471\;, Called-Station-ID=18-33-9d-71-aa-40:alpha, Calling-Station-ID=48-F8-B3-7B-E6-7C, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap9, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e2ae150000038a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2085471, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24343, Step=24402, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=24423, Step=15036, Step=24432, Step=24355, Step=24416, Step=24355, Step=24420, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, AuthorizationPolicyMatchedRule=Default, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e2ae150000038a, EndPointMACAddress=48-F8-B3-7B-E6-7C, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-User-Resolved-Identities=karganes@cisco.com, AD-User-Candidate-Identities=karganes@cisco.com, AD-User-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=72=EAP_TLS_BYOD, StepData=73=CiscoAD, StepData=74=CiscoAD, StepData=75=karganes, StepData=76=cisco.com, StepData=77=cisco.com, StepData=78=icm.cisco.com\,Domain trust direction is one-way, StepData=79=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=80=partnet.cisco.com\,Domain trust direction is one-way, StepData=81=IL.NDS.COM\,Domain trust direction is one-way, StepData=82=UK.NDS.COM\,Domain trust direction is one-way, StepData=83=SN.local\,Domain trust direction is one-way, StepData=84=webex.local\,Domain trust direction is one-way, StepData=85=in.nds.com\,Domain trust direction is one-way, StepData=86=US.NDS.COM\,Domain trust direction is one-way, StepData=88=karganes@cisco.com, StepData=89=CiscoAD, StepData=108=CiscoAD, StepData=109=cisco.com, StepData=110=CiscoAD, StepData=111=cisco.com, StepData=112=CiscoAD, StepData=113= CiscoAD.ExternalGroups, StepData=114= Radius.Service-Type, StepData=115= Radius.NAS-Port-Type, StepData=116= Session.Device-OS, StepData=117= Radius.Called-Station-ID, StepData=118=Default, AD-User-Resolved-DNs=CN=karganes\,OU=Employees\,OU=Cisco Users\,DC=cisco\,DC=com, AD-User-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Users, AD-User-NetBios-Name=CISCO, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, IdentityAccessRestricted=false, Response={State=ReauthSession:0a22964453e2ae150000038a; Class=CACS:0a22964453e2ae150000038a:npf-sjca-pdp01/195491152/2085471; EAP-Key-Name=19:53:e3:25:2d:cb:fa:24:96:fb:fa:9a:43:df:39:70:ee:69:33:07:07:61:35:61:c2:c9:7f:81:48:89:11:0d:a3:53:e3:25:2c:61:63:3e:bd:03:4f:64:37:af:11:d5:1d:50:8a:6f:ab:32:b7:35:10:23:3b:30:c7:ed:35:3a:16; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, Aug 6 16:46:16 10.42.7.63 Aug 7 00:05:28 npf-sjca-pdp01 CISE_Passed_Authentications 0001970225 1 0 2014-08-07 00:05:28.140 -07:00 0098665945 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=53, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF0CC7708085, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085483, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF0CC7708085, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF0CC7708085; Class=CACS:0A2250250007AF0CC7708085:npf-sjca-pdp01/195491152/2085483; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF0CC7708085&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=bfe8e250ab1891dfcefed773f48cd73d; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:46:16 10.42.7.64 Aug 7 00:05:28 npf-sjca-pdp02 CISE_Passed_Authentications 0000370926 1 0 2014-08-07 00:05:28.240 -07:00 0011268174 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/mickaye-WS.cisco.com, Protocol=Radius, RequestLatency=46, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=host/mickaye-WS.cisco.com, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002c09f53d6bb6e\;41SessionID=npf-sjca-pdp02/195481465/270982\;, Called-Station-ID=a4-56-30-0f-7e-30:Blizzard-ISE, Calling-Station-ID=24-77-03-50-16-e0, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 606, undefined-89= -Aug 6 16:46:16 10.42.7.63 Aug 7 00:05:28 npf-sjca-pdp01 CISE_Passed_Authentications 0001970226 1 0 2014-08-07 00:05:28.384 -07:00 0098666099 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jdoe, Protocol=Radius, RequestLatency=51, NetworkDeviceName=EXAMPLE, User-Name=jdoe, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-IP-Address=10.34.137.144, Framed-MTU=1449, State=37CPMSessionID=0a22964453e2ae150000038a\;42SessionID=npf-sjca-pdp01/195491152/2085484\;, Called-Station-ID=18-33-9d-71-aa-40:alpha, Calling-Station-ID=48-F8-B3-7B-E6-7C, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap9, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e2ae150000038a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2085484, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24343, Step=24402, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=24423, Step=15036, Step=24432, Step=24355, Step=24416, Step=24355, Step=24420, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, AuthorizationPolicyMatchedRule=Default, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e2ae150000038a, EndPointMACAddress=48-F8-B3-7B-E6-7C, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-User-Resolved-Identities=jdoe@cisco.com, AD-User-Candidate-Identities=jdoe@cisco.com, AD-User-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=72=EAP_TLS_BYOD, StepData=73=CiscoAD, StepData=74=CiscoAD, StepData=75=jdoe, StepData=76=cisco.com, StepData=77=cisco.com, StepData=78=icm.cisco.com\,Domain trust direction is one-way, StepData=79=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=80=partnet.cisco.com\,Domain trust direction is one-way, StepData=81=IL.NDS.COM\,Domain trust direction is one-way, StepData=82=UK.NDS.COM\,Domain trust direction is one-way, StepData=83=SN.local\,Domain trust direction is one-way, StepData=84=webex.local\,Domain trust direction is one-way, StepData=85=in.nds.com\,Domain trust direction is one-way, StepData=86=US.NDS.COM\,Domain trust direction is one-way, StepData=88=jdoe@cisco.com, StepData=89=CiscoAD, StepData=108=CiscoAD, StepData=109=cisco.com, StepData=110=CiscoAD, StepData=111=cisco.com, StepData=112=CiscoAD, StepData=113= CiscoAD.ExternalGroups, StepData=114= Radius.Service-Type, StepData=115= Radius.NAS-Port-Type, StepData=116= Session.Device-OS, StepData=117= Radius.Called-Station-ID, StepData=118=Default, AD-User-Resolved-DNs=CN=jdoe\,OU=Employees\,OU=Cisco Users\,DC=cisco\,DC=com, AD-User-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Users, AD-User-NetBios-Name=CISCO, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, IdentityAccessRestricted=false, Response={State=ReauthSession:0a22964453e2ae150000038a; Class=CACS:0a22964453e2ae150000038a:npf-sjca-pdp01/195491152/2085484; EAP-Key-Name=19:53:e3:25:39:51:ff:85:80:09:d9:ce:e7:3f:89:92:55:30:9d:84:40:eb:6e:34:ab:3d:81:06:b2:c2:cc:1f:dc:53:e3:25:38:f6:b9:5b:d3:6a:a5:9a:de:ed:4b:ad:c3:19:90:68:12:f5:e8:9b:1a:04:2f:76:24:3d:ce:4e:e5; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, +Aug 6 16:46:16 10.42.7.63 Aug 7 00:05:28 npf-sjca-pdp01 CISE_Passed_Authentications 0001970226 1 0 2014-08-07 00:05:28.384 -07:00 0098666099 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.150.68, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=karganes, Protocol=Radius, RequestLatency=51, NetworkDeviceName=WNBU_NGWC_OTA_KATANA1, User-Name=karganes, NAS-IP-Address=10.34.150.68, NAS-Port=60000, Service-Type=Framed, Framed-IP-Address=10.34.137.144, Framed-MTU=1449, State=37CPMSessionID=0a22964453e2ae150000038a\;42SessionID=npf-sjca-pdp01/195491152/2085484\;, Called-Station-ID=18-33-9d-71-aa-40:alpha, Calling-Station-ID=48-F8-B3-7B-E6-7C, NAS-Port-Type=Wireless - IEEE 802.11, NAS-Port-Id=Capwap9, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0a22964453e2ae150000038a, cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha, Airespace-Wlan-Id=1, AcsSessionID=npf-sjca-pdp01/195491152/2085484, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=PermitAccess, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24323, Step=24343, Step=24402, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=24423, Step=15036, Step=24432, Step=24355, Step=24416, Step=24355, Step=24420, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=12306, Step=11503, Step=11002, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#SJC#WNBU, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC, AuthorizationPolicyMatchedRule=Default, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0a22964453e2ae150000038a, EndPointMACAddress=48-F8-B3-7B-E6-7C, PostureAssessmentStatus=NotApplicable, ISEPolicySetName=Building_SJC14_WNBU, AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-User-Resolved-Identities=karganes@cisco.com, AD-User-Candidate-Identities=karganes@cisco.com, AD-User-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=72=EAP_TLS_BYOD, StepData=73=CiscoAD, StepData=74=CiscoAD, StepData=75=karganes, StepData=76=cisco.com, StepData=77=cisco.com, StepData=78=icm.cisco.com\,Domain trust direction is one-way, StepData=79=sea-alpha.cisco.com\,Domain trust direction is one-way, StepData=80=partnet.cisco.com\,Domain trust direction is one-way, StepData=81=IL.NDS.COM\,Domain trust direction is one-way, StepData=82=UK.NDS.COM\,Domain trust direction is one-way, StepData=83=SN.local\,Domain trust direction is one-way, StepData=84=webex.local\,Domain trust direction is one-way, StepData=85=in.nds.com\,Domain trust direction is one-way, StepData=86=US.NDS.COM\,Domain trust direction is one-way, StepData=88=karganes@cisco.com, StepData=89=CiscoAD, StepData=108=CiscoAD, StepData=109=cisco.com, StepData=110=CiscoAD, StepData=111=cisco.com, StepData=112=CiscoAD, StepData=113= CiscoAD.ExternalGroups, StepData=114= Radius.Service-Type, StepData=115= Radius.NAS-Port-Type, StepData=116= Session.Device-OS, StepData=117= Radius.Called-Station-ID, StepData=118=Default, AD-User-Resolved-DNs=CN=karganes\,OU=Employees\,OU=Cisco Users\,DC=cisco\,DC=com, AD-User-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Users, AD-User-NetBios-Name=CISCO, Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All Device Types#Wireless#WLC#NGWC, IdentityAccessRestricted=false, Response={State=ReauthSession:0a22964453e2ae150000038a; Class=CACS:0a22964453e2ae150000038a:npf-sjca-pdp01/195491152/2085484; EAP-Key-Name=19:53:e3:25:39:51:ff:85:80:09:d9:ce:e7:3f:89:92:55:30:9d:84:40:eb:6e:34:ab:3d:81:06:b2:c2:cc:1f:dc:53:e3:25:38:f6:b9:5b:d3:6a:a5:9a:de:ed:4b:ad:c3:19:90:68:12:f5:e8:9b:1a:04:2f:76:24:3d:ce:4e:e5; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, Aug 6 16:46:20 10.34.84.145 Aug 7 00:05:32 stage-pdp01 CISE_Passed_Authentications 0000024639 1 0 2014-08-07 00:05:32.974 -07:00 0000287131 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=113, Device IP Address=10.34.76.212, DestinationIPAddress=10.34.84.145, DestinationPort=1812, UserName=60-03-08-E2-F3-90, Protocol=Radius, RequestLatency=25, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=600308e2f390, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=04-da-d2-91-68-00:Astage-selfsponsor, Calling-Station-ID=60-03-08-e2-f3-90, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, cisco-av-pair=audit-session-id=0a224cd40002fad653e29f73, Airespace-Wlan-Id=5, OriginalUserName=600308e2f390, AcsSessionID=stage-pdp01/196593288/19335, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Guest_Redirect_Selfservice, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPad, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Alpha_Guest_Registration, UserType=Host, CPMSessionID=0a224cd40002fad653e29f73, EndPointMACAddress=60-03-08-E2-F3-90, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPad, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Stage_SJCM_Guest_Selfsponsor, AllowedProtocolMatchedRule=Stage_SelfSponosr_Auth, IdentitySelectionMatchedRule=Default, StepData=5= Radius.Service-Type, StepData=6= DEVICE.Location, StepData=7= DEVICE.Device Type, StepData=8= Radius.Called-Station-ID, StepData=9= Radius.NAS-Port-Type, StepData=10=Stage_SelfSponosr_Auth, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Radius.Called-Station-ID, StepData=22=Alpha_Guest_Registration, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPad, Model Name=5508, Software Version=7.3.113.109, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=60:03:08:E2:F3:90; User-Name=60-03-08-E2-F3-90; State=ReauthSession:0a224cd40002fad653e29f73; Class=CACS:0a224cd40002fad653e29f73:stage-pdp01/196593288/19335; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://stage-pdp01.cisco.com:8443/portal/gateway?sessionId=0a224cd40002fad653e29f73&portal=b15a9aa0-1cde-11e4-8ade-000c29afdc76&action=cwa&token=d5325677244c6698e542e6443bfe0aee; cisco-av-pair=profile-name=Apple-iPad; LicenseTypes=1; }, Aug 6 16:46:21 10.42.7.63 Aug 7 00:05:33 npf-sjca-pdp01 CISE_Passed_Authentications 0001970238 1 0 2014-08-07 00:05:33.261 -07:00 0098666872 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=54, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF0DC7709451, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085502, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF0DC7709451, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF0DC7709451; Class=CACS:0A2250250007AF0DC7709451:npf-sjca-pdp01/195491152/2085502; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF0DC7709451&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=7d97cf8182ab2a8e3240660f9fc23041; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:46:30 10.42.7.63 Aug 7 00:05:42 npf-sjca-pdp01 CISE_Passed_Authentications 0001970248 1 0 2014-08-07 00:05:42.933 -07:00 0098667378 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=joreeder, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=joreeder, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055cde71ee353\;42SessionID=npf-sjca-pdp01/195491152/2085516\;, Called-Station-ID=001f9e28ffa0:alpha, Calling-Station-ID=28cfe91318d9, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= @@ -280,18 +280,18 @@ Aug 6 16:46:39 10.42.7.63 Aug 7 00:05:51 npf-sjca-pdp01 CISE_Passed_Authentica Aug 6 16:46:54 10.42.7.63 Aug 7 00:06:06 npf-sjca-pdp01 CISE_Passed_Authentications 0001970303 1 0 2014-08-07 00:06:06.341 -07:00 0098669360 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=jeffport@cisco.com, Protocol=Radius, RequestLatency=37, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=jeffport@cisco.com, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000055ff5d25e353\;42SessionID=npf-sjca-pdp01/195491152/2085570\;, Called-Station-ID=508789bb8c90:alpha, Calling-Station-ID=28cfe91a5a49, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:46:57 10.42.7.63 Aug 7 00:06:09 npf-sjca-pdp01 CISE_Passed_Authentications 0001970314 1 0 2014-08-07 00:06:09.490 -07:00 0098669883 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=54, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF0EC7711F4D, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085581, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF0EC7711F4D, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF0EC7711F4D; Class=CACS:0A2250250007AF0EC7711F4D:npf-sjca-pdp01/195491152/2085581; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF0EC7711F4D&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=a75451657930cdd77b363807c733e3c2; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:47:15 10.42.7.63 Aug 7 00:06:27 npf-sjca-pdp01 CISE_Passed_Authentications 0001970332 1 0 2014-08-07 00:06:27.955 -07:00 0098670019 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=61, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF10C7716AE5, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085616, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF10C7716AE5, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF10C7716AE5; Class=CACS:0A2250250007AF10C7716AE5:npf-sjca-pdp01/195491152/2085616; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF10C7716AE5&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=883f0e1dd91147aa7a0265157dca51d3; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:47:20 10.42.7.64 Aug 7 00:06:32 npf-sjca-pdp02 CISE_Passed_Authentications 0000370936 1 0 2014-08-07 00:06:32.938 -07:00 0011268305 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=55, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf253e32578\;41SessionID=npf-sjca-pdp02/195481465/270989\;, Called-Station-ID=04-da-d2-91-68-00:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= -Aug 6 16:47:29 10.42.7.64 Aug 7 00:06:41 npf-sjca-pdp02 CISE_Passed_Authentications 0000370938 1 0 2014-08-07 00:06:41.919 -07:00 0011268424 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/ANOY-WS01.cisco.com, Protocol=Radius, RequestLatency=66, NetworkDeviceName=NTN-WLC1, User-Name=host/ANOY-WS01.cisco.com, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045d853e2c504\;41SessionID=npf-sjca-pdp02/195481465/270991\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_example, Calling-Station-ID=e8-2a-ea-23-5e-3d, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= +Aug 6 16:47:20 10.42.7.64 Aug 7 00:06:32 npf-sjca-pdp02 CISE_Passed_Authentications 0000370936 1 0 2014-08-07 00:06:32.938 -07:00 0011268305 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=55, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf253e32578\;41SessionID=npf-sjca-pdp02/195481465/270989\;, Called-Station-ID=04-da-d2-91-68-00:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:47:29 10.42.7.64 Aug 7 00:06:41 npf-sjca-pdp02 CISE_Passed_Authentications 0000370938 1 0 2014-08-07 00:06:41.919 -07:00 0011268424 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/ANOY-WS01.cisco.com, Protocol=Radius, RequestLatency=66, NetworkDeviceName=NTN-WLC1, User-Name=host/ANOY-WS01.cisco.com, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a388104000045d853e2c504\;41SessionID=npf-sjca-pdp02/195481465/270991\;, Called-Station-ID=70-10-5c-f3-2f-80:alpha_byod, Calling-Station-ID=e8-2a-ea-23-5e-3d, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 604, undefined-89= Aug 6 16:47:31 10.42.7.63 Aug 7 00:06:43 npf-sjca-pdp01 CISE_Passed_Authentications 0001970347 1 0 2014-08-07 00:06:43.315 -07:00 0098670832 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=56, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF11C771A5C9, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085649, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF11C771A5C9, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF11C771A5C9; Class=CACS:0A2250250007AF11C771A5C9:npf-sjca-pdp01/195491152/2085649; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF11C771A5C9&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=5810c2c09f8831a49e23411dbb694159; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:47:46 10.42.7.63 Aug 7 00:06:58 npf-sjca-pdp01 CISE_Passed_Authentications 0001970359 1 0 2014-08-07 00:06:58.682 -07:00 0098671317 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=61, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF13C771E015, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085669, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF13C771E015, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF13C771E015; Class=CACS:0A2250250007AF13C771E015:npf-sjca-pdp01/195491152/2085669; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF13C771E015&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=b643fd4a0fa044f879be57ca7603c879; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:47:58 10.42.7.63 Aug 7 00:07:10 npf-sjca-pdp01 CISE_Passed_Authentications 0001970365 1 0 2014-08-07 00:07:10.166 -07:00 0098671620 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=bbobinde, Protocol=Radius, RequestLatency=51, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=bbobinde, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000056019d25e353\;42SessionID=npf-sjca-pdp01/195491152/2085682\;, Called-Station-ID=ec447680bc70:alpha, Calling-Station-ID=9494260719b4, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= Aug 6 16:48:00 10.42.7.63 Aug 7 00:07:12 npf-sjca-pdp01 CISE_Passed_Authentications 0001970369 1 0 2014-08-07 00:07:12.156 -07:00 0098671767 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=seadams, Protocol=Radius, RequestLatency=35, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab00000029610fd853\;42SessionID=npf-sjca-pdp01/195491152/2085694\;, Called-Station-ID=0023045cced0:alpha_phone, Calling-Station-ID=0026cb002f20, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:48:04 10.42.7.63 Aug 7 00:07:16 npf-sjca-pdp01 CISE_Passed_Authentications 0001970377 1 0 2014-08-07 00:07:16.938 -07:00 0098671914 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=selinay, Protocol=Radius, RequestLatency=49, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054366df7e253\;42SessionID=npf-sjca-pdp01/195491152/2085703\;, Called-Station-ID=002304cd1f10:alpha_phone, Calling-Station-ID=0026cb006812, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:48:06 10.42.7.63 Aug 7 00:07:18 npf-sjca-pdp01 CISE_Passed_Authentications 0001970381 1 0 2014-08-07 00:07:18.174 -07:00 0098671958 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=58, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF14C7722F16, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085708, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF14C7722F16, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF14C7722F16; Class=CACS:0A2250250007AF14C7722F16:npf-sjca-pdp01/195491152/2085708; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF14C7722F16&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=3d757b08549abb7525c4da546906f53c; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, -Aug 6 16:48:25 10.42.7.64 Aug 7 00:07:37 npf-sjca-pdp02 CISE_Passed_Authentications 0000370956 1 0 2014-08-07 00:07:37.865 -07:00 0011268585 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=51, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf253e32578\;41SessionID=npf-sjca-pdp02/195481465/271003\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_example, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= -Aug 6 16:48:28 10.42.7.64 Aug 7 00:07:40 npf-sjca-pdp02 CISE_Passed_Authentications 0000370960 1 0 2014-08-07 00:07:40.066 -07:00 0011268687 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.72.127, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/salfi-pc.cisco.com, Protocol=Radius, RequestLatency=94, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=10.56.111.14, Framed-MTU=1500, State=37CPMSessionID=0A38487F0000039ABDACC6F4\;41SessionID=npf-sjca-pdp02/195481465/271002\;, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A38487F0000039ABDACC6F4, MisconfiguredClientFixReason=Passed, AcsSessionID=npf-sjca-pdp02/195481465/271002, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Wired_prePosture, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24431, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24470, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=15036, Step=15048, Step=15048, Step=24433, Step=24355, Step=24435, Step=24355, Step=24458, Step=24100, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=12306, Step=11503, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=NTN-Wired-Pre_Posture, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0A38487F0000039ABDACC6F4, EndPointMACAddress=3C-97-0E-C3-F8-F1, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows8-Workstation, ISEPolicySetName=Location_NTN_Wired, AllowedProtocolMatchedRule=NTN_Wired_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-Host-Resolved-Identities=SALFI-PC$@cisco.com, AD-Host-Candidate-Identities=SALFI-PC$@cisco.com, AD-Host-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10=NTN_Wired_Dot1x, StepData=73=EAP_TLS_BYOD, StepData=74=CiscoAD, StepData=75=CiscoAD, StepData=76=host/salfi-pc.cisco.com, StepData=77=cisco.com, StepData=78=cisco.com, StepData=80=SALFI-PC$@cisco.com, StepData=81=CiscoAD, StepData=99= Radius.Service-Type, StepData=100= Radius.NAS-Port-Type, StepData=101=CiscoAD, StepData=102=cisco.com, StepData=103=CiscoAD, StepData=104=cisco.com, StepData=105=CiscoAD, StepData=106=CiscoAD, StepData=107= CiscoAD.ExternalGroups, StepData=108= Session.PostureStatus, StepData=109= DEVICE.Device Type, StepData=110=NTN-Wired-Pre_Posture, AD-Host-Resolved-DNs=CN=SALFI-PC\,OU=Workstations\,OU=Cisco Computers\,DC=cisco\,DC=com, AD-Host-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Computers, AD-Host-NetBios-Name=CISCO, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, IdentityAccessRestricted=false, ExternalGroups=s-1-5-21-1708537768-1303643608-725345543-515, Response={State=ReauthSession:0A38487F0000039ABDACC6F4; Class=CACS:0A38487F0000039ABDACC6F4:npf-sjca-pdp02/195481465/271002; EAP-Key-Name=19:53:e3:25:b8:21:ae:2a:ee:8c:ab:29:4f:b5:25:31:3f:f3:ce:8f:67:01:d8:83:3d:c4:b7:f7:08:6b:ad:d1:d5:53:e3:25:b9:06:d3:e9:6c:95:49:9f:bd:aa:5a:aa:fe:4a:cd:fe:e7:ef:a1:8a:f8:8f:5f:3e:7b:25:48:0f:e3; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf.example.com:8443/portal/gateway?sessionId=0A38487F0000039ABDACC6F4&portal=0303a6c2-121d-11e4-91bc-005056811954&action=cpp&token=ccd494958b2a3ae24acfa395444fd54e; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, +Aug 6 16:48:25 10.42.7.64 Aug 7 00:07:37 npf-sjca-pdp02 CISE_Passed_Authentications 0000370956 1 0 2014-08-07 00:07:37.865 -07:00 0011268585 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.34.76.212, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=maswank, Protocol=Radius, RequestLatency=51, NetworkDeviceName=sjcm-00a-npf-wlc1, User-Name=maswank, NAS-IP-Address=10.34.76.212, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=0a224cd40002fdf253e32578\;41SessionID=npf-sjca-pdp02/195481465/271003\;, Called-Station-ID=a4-56-30-0f-78-80:alpha_byod, Calling-Station-ID=00-21-6a-ab-3a-fe, NAS-Identifier=sjcm-00a-npf-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 601, undefined-89= +Aug 6 16:48:28 10.42.7.64 Aug 7 00:07:40 npf-sjca-pdp02 CISE_Passed_Authentications 0000370960 1 0 2014-08-07 00:07:40.066 -07:00 0011268687 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.72.127, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=host/salfi-pc.cisco.com, Protocol=Radius, RequestLatency=94, NetworkDeviceName=ntn01-11a-sw4, User-Name=host/salfi-pc.cisco.com, NAS-IP-Address=10.56.72.127, NAS-Port=50212, Service-Type=Framed, Framed-IP-Address=10.56.111.14, Framed-MTU=1500, State=37CPMSessionID=0A38487F0000039ABDACC6F4\;41SessionID=npf-sjca-pdp02/195481465/271002\;, Called-Station-ID=00-26-99-28-5E-BB, Calling-Station-ID=3C-97-0E-C3-F8-F1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/12, EAP-Key-Name=, cisco-av-pair=cts-pac-opaque=****, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0A38487F0000039ABDACC6F4, MisconfiguredClientFixReason=Passed, AcsSessionID=npf-sjca-pdp02/195481465/271002, AuthenticationIdentityStore=CiscoAD, AuthenticationMethod=MSCHAPV2, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=Wired_prePosture, IdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12302, Step=12318, Step=12800, Step=12805, Step=12806, Step=12807, Step=12810, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12318, Step=12812, Step=12804, Step=12801, Step=12802, Step=12816, Step=12310, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=12313, Step=11521, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11522, Step=11806, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11808, Step=15041, Step=15006, Step=22072, Step=15013, Step=24431, Step=24325, Step=24313, Step=24319, Step=24323, Step=24343, Step=24470, Step=22037, Step=11824, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=11810, Step=11814, Step=11519, Step=12314, Step=12305, Step=11006, Step=11001, Step=11018, Step=12304, Step=15036, Step=15048, Step=15048, Step=24433, Step=24355, Step=24435, Step=24355, Step=24458, Step=24100, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=12306, Step=11503, Step=11002, Step=5239, SelectedAuthenticationIdentityStores=CiscoAD, SelectedAuthenticationIdentityStores=Internal Endpoints, SelectedAuthenticationIdentityStores=Internal Users, SelectedAuthenticationIdentityStores=Guest Users, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=NTN-Wired-Pre_Posture, EapTunnel=PEAP, EapAuthentication=EAP-MSCHAPv2, CPMSessionID=0A38487F0000039ABDACC6F4, EndPointMACAddress=3C-97-0E-C3-F8-F1, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Windows8-Workstation, ISEPolicySetName=Location_NTN_Wired, AllowedProtocolMatchedRule=NTN_Wired_Dot1x, IdentitySelectionMatchedRule=Default, AD-Domain=cisco.com, AD-Host-Resolved-Identities=SALFI-PC$@cisco.com, AD-Host-Candidate-Identities=SALFI-PC$@cisco.com, AD-Host-Join-Point=CISCO.COM, StepData=4= DEVICE.Location, StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type, StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10=NTN_Wired_Dot1x, StepData=73=EAP_TLS_BYOD, StepData=74=CiscoAD, StepData=75=CiscoAD, StepData=76=host/salfi-pc.cisco.com, StepData=77=cisco.com, StepData=78=cisco.com, StepData=80=SALFI-PC$@cisco.com, StepData=81=CiscoAD, StepData=99= Radius.Service-Type, StepData=100= Radius.NAS-Port-Type, StepData=101=CiscoAD, StepData=102=cisco.com, StepData=103=CiscoAD, StepData=104=cisco.com, StepData=105=CiscoAD, StepData=106=CiscoAD, StepData=107= CiscoAD.ExternalGroups, StepData=108= Session.PostureStatus, StepData=109= DEVICE.Device Type, StepData=110=NTN-Wired-Pre_Posture, AD-Host-Resolved-DNs=CN=SALFI-PC\,OU=Workstations\,OU=Cisco Computers\,DC=cisco\,DC=com, AD-Host-DNS-Domain=cisco.com, AD-Groups-Names=cisco.com/Users/Domain Computers, AD-Host-NetBios-Name=CISCO, HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation, Model Name=4503, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, IdentityAccessRestricted=false, ExternalGroups=s-1-5-21-1708537768-1303643608-725345543-515, Response={State=ReauthSession:0A38487F0000039ABDACC6F4; Class=CACS:0A38487F0000039ABDACC6F4:npf-sjca-pdp02/195481465/271002; EAP-Key-Name=19:53:e3:25:b8:21:ae:2a:ee:8c:ab:29:4f:b5:25:31:3f:f3:ce:8f:67:01:d8:83:3d:c4:b7:f7:08:6b:ad:d1:d5:53:e3:25:b9:06:d3:e9:6c:95:49:9f:bd:aa:5a:aa:fe:4a:cd:fe:e7:ef:a1:8a:f8:8f:5f:3e:7b:25:48:0f:e3; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp02.cisco.com:8443/portal/gateway?sessionId=0A38487F0000039ABDACC6F4&portal=0303a6c2-121d-11e4-91bc-005056811954&action=cpp&token=ccd494958b2a3ae24acfa395444fd54e; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }, Aug 6 16:48:30 10.42.7.63 Aug 7 00:07:42 npf-sjca-pdp01 CISE_Passed_Authentications 0001970421 1 0 2014-08-07 00:07:42.411 -07:00 0098673586 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=wisantos@cisco.com, Protocol=Radius, RequestLatency=25, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=wisantos@cisco.com, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab00005602bd25e353\;42SessionID=npf-sjca-pdp01/195491152/2085761\;, Called-Station-ID=a8b1d49cc490:alpha, Calling-Station-ID=28cfe91ca8e3, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 310, undefined-89= -Aug 6 16:48:31 10.42.7.64 Aug 7 00:07:43 npf-sjca-pdp02 CISE_Passed_Authentications 0000370964 1 0 2014-08-07 00:07:43.823 -07:00 0011268723 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=93, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d953e2c545, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/271007, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d953e2c545, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d953e2c545; Class=CACS:0a388104000045d953e2c545:npf-sjca-pdp02/195481465/271007; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf.example.com:8443/portal/gateway?sessionId=0a388104000045d953e2c545&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=4cf8e99f6378a31c6fccf59f0968d671; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, +Aug 6 16:48:31 10.42.7.64 Aug 7 00:07:43 npf-sjca-pdp02 CISE_Passed_Authentications 0000370964 1 0 2014-08-07 00:07:43.823 -07:00 0011268723 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=240, Device IP Address=10.56.129.4, DestinationIPAddress=10.42.7.64, DestinationPort=1812, UserName=54-26-96-78-2C-E8, Protocol=Radius, RequestLatency=93, NetworkDeviceName=NTN-WLC1, User-Name=542696782ce8, NAS-IP-Address=10.56.129.4, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=b8-62-1f-44-92-80:alpha-guest, Calling-Station-ID=54-26-96-78-2c-e8, NAS-Identifier=ntn01-11a-wlc1, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 603, cisco-av-pair=audit-session-id=0a388104000045d953e2c545, Airespace-Wlan-Id=2, OriginalUserName=542696782ce8, AcsSessionID=npf-sjca-pdp02/195481465/271007, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WLC_NTN_CWA, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#NTN, NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC, AuthorizationPolicyMatchedRule=Wireless-Dual_SSID, UserType=Host, CPMSessionID=0a388104000045d953e2c545, EndPointMACAddress=54-26-96-78-2C-E8, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Apple-iPhone, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Location_NTN_Wireless, AllowedProtocolMatchedRule=Byod-MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= Radius.NAS-IP-Address, StepData=9= DEVICE.Device Type, StepData=10= Radius.NAS-Port-Type, StepData=11=Byod-MAB, StepData=14=Internal Endpoints, StepData=20= Network Access.Device IP Address, StepData=21= Radius.Service-Type, StepData=22= Radius.NAS-Port-Type, StepData=23= Airespace.Airespace-Wlan-Id, StepData=24=Wireless-Dual_SSID, HostIdentityGroup=Endpoint Identity Groups:Profiled:Apple-iPhone, Model Name=5508, Software Version=7.0.114.x, Location=Location#All Locations#NTN, Device Type=Device Type#All Device Types#Wireless#WLC, Response={UserName=54:26:96:78:2C:E8; User-Name=54-26-96-78-2C-E8; State=ReauthSession:0a388104000045d953e2c545; Class=CACS:0a388104000045d953e2c545:npf-sjca-pdp02/195481465/271007; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT-NSP; cisco-av-pair=url-redirect=https://npf-sjca-pdp02.cisco.com:8443/portal/gateway?sessionId=0a388104000045d953e2c545&portal=2aff6652-121d-11e4-91bc-005056811954&action=cwa&token=4cf8e99f6378a31c6fccf59f0968d671; cisco-av-pair=profile-name=Apple-iPhone; Airespace-ACL-Name=ACL-WEBAUTH-REDIRECT-NSP; LicenseTypes=1; }, Aug 6 16:48:40 10.42.7.63 Aug 7 00:07:52 npf-sjca-pdp01 CISE_Passed_Authentications 0001970436 1 0 2014-08-07 00:07:52.996 -07:00 0098674299 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-D2-15, Protocol=Radius, RequestLatency=49, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6d215, NAS-IP-Address=10.34.75.4, NAS-Port=50243, Service-Type=Call Check, Framed-IP-Address=10.34.75.10, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AA, Calling-Station-ID=BC-30-5B-E6-D2-15, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/43, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF16C772B746, OriginalUserName=bc305be6d215, AcsSessionID=npf-sjca-pdp01/195491152/2085786, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF16C772B746, EndPointMACAddress=BC-30-5B-E6-D2-15, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:D2:15; User-Name=BC-30-5B-E6-D2-15; State=ReauthSession:0A2250250007AF16C772B746; Class=CACS:0A2250250007AF16C772B746:npf-sjca-pdp01/195491152/2085786; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF16C772B746&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=c90ec32565114d064ed25118421c0fc2; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, Aug 6 16:48:45 10.42.7.63 Aug 7 00:07:57 npf-sjca-pdp01 CISE_Passed_Authentications 0001970453 1 0 2014-08-07 00:07:57.281 -07:00 0098675207 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=171.70.35.137, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=selinay, Protocol=Radius, RequestLatency=26, NetworkDeviceName=WNBU-sjc14-00a-homeap4_mgmt, User-Name=anonymous, NAS-IP-Address=171.70.35.137, NAS-Port=1, Service-Type=Framed, Framed-MTU=1300, State=37CPMSessionID=892346ab000054366df7e253\;42SessionID=npf-sjca-pdp01/195491152/2085802\;, Called-Station-ID=002304cd1f10:alpha_phone, Calling-Station-ID=0026cb006812, NAS-Identifier=Cisco_cf:27:46, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 311, undefined-89= Aug 6 16:48:46 10.42.7.63 Aug 7 00:07:58 npf-sjca-pdp01 CISE_Passed_Authentications 0001970457 1 0 2014-08-07 00:07:58.139 -07:00 0098675480 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=133, Device IP Address=10.34.75.4, DestinationIPAddress=10.42.7.63, DestinationPort=1812, UserName=BC-30-5B-E6-BE-F6, Protocol=Radius, RequestLatency=52, NetworkDeviceName=sjcm-12a-npf-sw1, User-Name=bc305be6bef6, NAS-IP-Address=10.34.75.4, NAS-Port=50244, Service-Type=Call Check, Framed-IP-Address=10.34.75.9, Framed-MTU=1500, Called-Station-ID=00-21-A0-C2-BF-AB, Calling-Station-ID=BC-30-5B-E6-BE-F6, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet2/44, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A2250250007AF17C772CA76, OriginalUserName=bc305be6bef6, AcsSessionID=npf-sjca-pdp01/195491152/2085805, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=CWA-Redirect_Wired, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15041, Step=15006, Step=15013, Step=24209, Step=24211, Step=22037, Step=24423, Step=15036, Step=15048, Step=15048, Step=15048, Step=15048, Step=15004, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, NetworkDeviceGroups=Location#All Locations#SJC#SJCM1, NetworkDeviceGroups=Device Type#All Device Types#Wired, AuthorizationPolicyMatchedRule=SJCM_Guest _Wired_unknown, UserType=Host, CPMSessionID=0A2250250007AF17C772CA76, EndPointMACAddress=BC-30-5B-E6-BE-F6, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Dell-Device, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Building_SJCM1_Wired, AllowedProtocolMatchedRule=SJCM1_Wired_MAB, IdentitySelectionMatchedRule=Default, StepData=5= DEVICE.Location, StepData=6= Radius.Called-Station-ID, StepData=7= Radius.Service-Type, StepData=8= DEVICE.Device Type, StepData=9= Radius.NAS-Port-Type, StepData=10=SJCM1_Wired_MAB, StepData=13=Internal Endpoints, StepData=19= Radius.Service-Type, StepData=20= Radius.NAS-Port-Type, StepData=21= Session.PostureStatus, StepData=22= EndPoints.LogicalProfile, StepData=23=SJCM_Guest _Wired_unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled, Model Name=Unknown, Software Version=Unknown, Location=Location#All Locations#SJC#SJCM1, Device Type=Device Type#All Device Types#Wired, PostureStatus=Unknown, Response={UserName=BC:30:5B:E6:BE:F6; User-Name=BC-30-5B-E6-BE-F6; State=ReauthSession:0A2250250007AF17C772CA76; Class=CACS:0A2250250007AF17C772CA76:npf-sjca-pdp01/195491152/2085805; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://npf-sjca-pdp01.cisco.com:8443/portal/gateway?sessionId=0A2250250007AF17C772CA76&portal=1e06a122-121d-11e4-91bc-005056811954&action=cwa&token=4ee88766e3e644a5eddb82045adae0b5; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PRE-POSTURE-AD-4ffe0a92; cisco-av-pair=profile-name=Dell-Device; LicenseTypes=1; }, diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/PaloaltoOutput b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/PaloaltoOutput new file mode 100644 index 0000000000..16793a2a8e --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/SampleInput/PaloaltoOutput @@ -0,0 +1,100 @@ +<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, +<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:59,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:59,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:59,9399,1,54185,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=8;tile=1;ord=F7315B6954238BE7FAE19D6EE0ECD",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368106,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109661,, +<11>Jan 5 05:39:00 PAN1.exampleCustomer.com 1,2015/01/05 05:38:59,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:59,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:59,50636,1,54181,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=ECA531364D3B6522F9B89EE09381",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368111,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109663,, +<11>Jan 5 05:39:00 PAN1.exampleCustomer.com 1,2015/01/05 05:38:59,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:59,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:59,19582,1,54177,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=160x600&id=14;tile=1;ord=9DB9E71EB91389C954E499B68203",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368112,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109664,, +<11>Jan 5 05:39:00 PAN1.exampleCustomer.com 1,2015/01/05 05:38:59,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:59,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:59,38426,1,54202,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=336x288&id=4;tile=1;ord=B1B8DA9446290140922C4F6E092D8",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368119,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109668,, +<11>Jan 5 07:11:37 PAN1.exampleCustomer.com 1,2015/01/05 07:11:36,0006C110285,THREAT,vulnerability,1,2015/01/05 07:11:36,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:11:36,28124,1,56475,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=6;tile=1;ord=E526836F078EB22491799C6373ED3",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347431967,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109692,, +<11>Jan 5 07:11:37 PAN1.exampleCustomer.com 1,2015/01/05 07:11:37,0006C110285,THREAT,vulnerability,1,2015/01/05 07:11:37,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:11:37,36574,1,56485,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=6;tile=1;ord=E526836F078EB22491799C6373ED3",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347431978,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109694,, +<11>Jan 5 07:11:37 PAN1.exampleCustomer.com 1,2015/01/05 07:11:37,0006C110285,THREAT,vulnerability,1,2015/01/05 07:11:37,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:11:37,3892,1,56486,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=E052042F211E553D6E1E44921E49",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347431979,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109695,, +<11>Jan 5 07:15:23 PAN1.exampleCustomer.com 1,2015/01/05 07:15:23,0006C110285,THREAT,vulnerability,1,2015/01/05 07:15:23,10.0.0.115,216.0.10.230,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:15:23,15102,1,56706,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=EB863BEB8809A5598F62C4CEDED7",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347434790,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109701,, +<11>Jan 5 07:15:23 PAN1.exampleCustomer.com 1,2015/01/05 07:15:23,0006C110285,THREAT,vulnerability,1,2015/01/05 07:15:23,10.0.0.115,216.0.10.230,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:15:23,54920,1,56704,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=4FB22ED5B7A0C344DB28AB34C1B3",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347434799,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109706,, +<11>Jan 5 06:57:50 PAN1.exampleCustomer.com 1,2015/01/05 06:57:50,0006C110285,THREAT,vulnerability,1,2015/01/05 06:57:50,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 06:57:50,59603,1,56051,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=6845CCF1045EE15B60F30B807684",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347421830,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109684,, +<11>Jan 5 06:57:50 PAN1.exampleCustomer.com 1,2015/01/05 06:57:50,0006C110285,THREAT,vulnerability,1,2015/01/05 06:57:50,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 06:57:50,24223,1,56042,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=256A9BBB8867977D118E2E511742",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347421831,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109685,, +<11>Jan 5 06:57:50 PAN1.exampleCustomer.com 1,2015/01/05 06:57:50,0006C110285,THREAT,vulnerability,1,2015/01/05 06:57:50,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 06:57:50,61627,1,56043,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=6845CCF1045EE15B60F30B807684",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347421828,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109682,, +<11>Jan 5 07:11:36 PAN1.exampleCustomer.com 1,2015/01/05 07:11:36,0006C110285,THREAT,vulnerability,1,2015/01/05 07:11:36,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:11:36,37087,1,56307,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=E052042F211E553D6E1E44921E49",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347431965,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109691,, +<11>Jan 5 05:48:38 PAN1.exampleCustomer.com 1,2015/01/05 05:48:38,0006C110285,THREAT,vulnerability,1,2015/01/05 05:48:38,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:48:38,48136,1,54557,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=EDD821C39BC0A49777874E02F7FA",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347373997,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109676,, +<11>Jan 5 05:39:01 PAN1.exampleCustomer.com 1,2015/01/05 05:39:00,0006C110285,THREAT,vulnerability,1,2015/01/05 05:39:00,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:39:00,60649,1,54209,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=728x90&id=1;tile=1;ord=6510BF66C3B427ED44AC521752E695",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368140,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109674,, +<12>Jan 5 06:41:35 PAN1.exampleCustomer.com 1,2015/01/05 06:41:34,0006C113118,THREAT,virus,1,2015/01/05 06:41:34,94.0.0.3,10.0.0.208,94.0.0.3,211.0.10.226,EX-Allow,,example\user.name,web-browsing,vsys1,untrust,trust,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 06:41:34,16864,2,80,60194,80,56595,0x404000,tcp,deny,"FreemakeVideoConverterSetup.exe",Virus/Win32.WGeneric.dyxeh(2367869),any,medium,server-to-client,40462931,0x0,GB,10.0.0.0-10.255.255.255,0,,0,, +<10>Jan 5 05:58:47 PAN1 1,2015/01/05 05:58:46,009401011564,THREAT,vulnerability,1,2015/01/05 05:58:46,10.0.0.38,10.3.0.31,0.0.0.0,0.0.0.0,INT_out,,,ms-ds-smb,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 05:58:46,44183,1,60510,445,0,0,0x80004000,tcp,reset-both,"",Microsoft Windows SMBv2 Remote Code Execution Vulnerability(32541),any,critical,client-to-server,724178,0x0,Unknown,Unknown,0,,1200515273392656547,, +<11>Jan 5 07:41:48 PAN1.exampleCustomer.com 1,2015/01/05 07:41:47,0006C110285,THREAT,vulnerability,1,2015/01/05 07:41:47,10.0.0.115,216.0.10.230,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:41:47,20240,1,65530,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=9944D12C8FB4EB798036CAD371C6",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347454781,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109719,, +<11>Jan 5 07:41:48 PAN1.exampleCustomer.com 1,2015/01/05 07:41:47,0006C110285,THREAT,vulnerability,1,2015/01/05 07:41:47,10.0.0.115,216.0.10.230,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 07:41:47,2518,1,65531,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=8;tile=1;ord=E0827A4B1C6179DF64205E13AECDF",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347454775,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109715,, +<12>Jan 5 09:08:53 PAN1.exampleCustomer.com 1,2015/01/05 09:08:52,0011C103117,THREAT,virus,1,2015/01/05 09:08:52,61.0.0.202,10.0.0.81,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,web-browsing,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 09:08:52,72686,1,80,60538,0,0,0x4000,tcp,deny,"haozip_v5.0_up6.exe",Virus/Win32.WGeneric.dpqqf(2516743),any,medium,server-to-client,3422073984,0x0,CN,10.0.0.0-10.255.255.255,0,,0,, +<12>Jan 5 09:10:14 PAN1.exampleCustomer.com 1,2015/01/05 09:10:13,001606003946,THREAT,virus,1,2015/01/05 09:10:13,8.30.222.22,10.0.0.109,8.30.222.22,172.13.0.21,EX-Allow,,example\user.name,web-browsing,vsys1,untrust,trust,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 09:10:13,17060,1,80,64672,80,21754,0x404000,tcp,deny,"youdaogouwu-3.13-dictupdate.exe",Virus/Win32.WGeneric.dyugt(2272380),any,medium,server-to-client,38698043,0x0,US,10.0.0.0-10.255.255.255,0,,0,, +<11>Jan 5 09:10:37 PAN1 1,2015/01/05 09:10:36,0003C105690,THREAT,vulnerability,1,2015/01/05 09:10:36,10.0.0.222,95.0.0.154,192.168.100.11,95.0.0.154,Guest_to_Internet,,,web-browsing,vsys1,GuestAccess,untrust,vlan.84,vlan.200,LOG-Default,2015/01/05 09:10:36,97395,1,59784,80,46548,80,0x80400000,tcp,reset-both,"8-134.0-87.0.zip",HTTP Unauthorized Brute-force Attack(40031),any,high,client-to-server,247195018,0x0,10.0.0.0-10.255.255.255,IT,0,,1200340530903386781,, +<11>Jan 5 09:02:24 PAN1 1,2015/01/05 09:02:24,0003C105690,THREAT,vulnerability,1,2015/01/05 09:02:24,10.0.0.222,95.0.0.154,192.168.100.11,95.0.0.154,Guest_to_Internet,,,web-browsing,vsys1,GuestAccess,untrust,vlan.84,vlan.200,LOG-Default,2015/01/05 09:02:24,137904,1,59762,80,7021,80,0x80400000,tcp,reset-both,"8-136.0-83.0.zip",HTTP Unauthorized Brute-force Attack(40031),any,high,client-to-server,247188168,0x0,10.0.0.0-10.255.255.255,IT,0,,1200340530903386777,, +<11>Jan 5 09:23:52 PAN1 1,2015/01/05 09:23:51,009401011564,THREAT,vulnerability,1,2015/01/05 09:23:51,10.0.0.135,10.1.0.42,0.0.0.0,0.0.0.0,INT_out,,,sccp,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 09:23:51,15299,1,49643,2000,0,0,0x80004000,tcp,reset-both,"",Digium Asterisk Skinny Channel NULL-Pointer Dereference Vulnerability(35378),any,high,client-to-server,732393,0x0,Unknown,Unknown,0,,1200515273392656561,, +<10>Jan 5 10:03:58 PAN1 1,2015/01/05 10:03:58,009401011564,THREAT,vulnerability,1,2015/01/05 10:03:58,10.0.0.38,10.3.0.37,0.0.0.0,0.0.0.0,INT_out,,,ms-ds-smb,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 10:03:58,57935,1,11648,445,0,0,0x80004000,tcp,reset-both,"",Microsoft Windows SMBv2 Remote Code Execution Vulnerability(32541),any,critical,client-to-server,733522,0x0,Unknown,Unknown,0,,1200515273392656570,, +<11>Jan 5 07:19:09 PAN1 1,2015/01/05 07:19:08,009401011564,THREAT,vulnerability,1,2015/01/05 07:19:08,10.0.0.135,10.1.0.42,0.0.0.0,0.0.0.0,INT_out,,,sccp,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 07:19:08,22557,1,49638,2000,0,0,0x80004000,tcp,reset-both,"",Digium Asterisk Skinny Channel NULL-Pointer Dereference Vulnerability(35378),any,high,client-to-server,727520,0x0,Unknown,Unknown,0,,1200515273392656555,, +<10>Jan 5 10:04:00 PAN1 1,2015/01/05 10:04:00,009401011564,THREAT,vulnerability,1,2015/01/05 10:04:00,10.0.0.38,10.2.0.40,0.0.0.0,0.0.0.0,INT_out,,,ms-ds-smb,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 10:04:00,37972,1,43861,445,0,0,0x80004000,tcp,reset-both,"",Microsoft Windows SMBv2 Remote Code Execution Vulnerability(32541),any,critical,client-to-server,733536,0x0,Unknown,Unknown,0,,1200515273392656584,, +<10>Jan 5 10:04:01 PAN1 1,2015/01/05 10:04:01,009401011564,THREAT,vulnerability,1,2015/01/05 10:04:01,10.0.0.38,172.13.0.68,0.0.0.0,0.0.0.0,INT_out,,,ms-ds-smb,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 10:04:01,49163,1,43869,445,0,0,0x80004000,tcp,reset-both,"",Microsoft Windows SMBv2 Remote Code Execution Vulnerability(32541),any,critical,client-to-server,733543,0x0,Unknown,US,0,,1200515273392656591,, +<10>Jan 5 02:16:00 PAN1.exampleCustomer.com 1,2015/01/05 02:16:00,009401009421,THREAT,spyware,1,2015/01/05 02:16:00,10.0.0.67,54.0.0.140,68.1.100.154,54.0.0.140,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 02:16:00,2898,1,50429,80,13954,80,0x400000,tcp,reset-both,"install.ashx",WGeneric.Gen Command and Control Traffic(13600),any,critical,client-to-server,3841944,0x0,10.0.0.0-10.255.255.255,US,0,,0,, +<10>Jan 5 02:16:17 PAN1.exampleCustomer.com 1,2015/01/05 02:16:17,009401009421,THREAT,spyware,1,2015/01/05 02:16:17,10.0.0.67,54.0.0.140,68.1.100.154,54.0.0.140,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 02:16:17,21959,1,50459,80,45933,80,0x400000,tcp,reset-both,"install.ashx",WGeneric.Gen Command and Control Traffic(13600),any,critical,client-to-server,3842040,0x0,10.0.0.0-10.255.255.255,US,0,,0,, +<10>Jan 5 10:55:21 PAN1.exampleCustomer.com 1,2015/01/05 10:55:21,0011C103117,THREAT,vulnerability,1,2015/01/05 10:55:21,172.13.0.44,10.0.0.48,0.0.0.0,0.0.0.0,EX-Allow,,,ssl,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 10:55:21,116502,1,55910,443,0,0,0x80004000,tcp,reset-both,"bar.exampleCustomer.com/",OpenSSL SSL/TLS MITM vulnerability(36485),any,critical,client-to-server,3422361316,0x0,NO,10.0.0.0-10.255.255.255,0,,1200269920802300348,, +<12>Jan 5 11:31:36 PAN1.exampleCustomer.com 1,2015/01/05 11:31:36,0011C103117,THREAT,vulnerability,1,2015/01/05 11:31:36,31.0.0.198,10.0.0.210,0.0.0.0,0.0.0.0,EX-Allow,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 11:31:36,181928,1,55325,443,0,0,0x80004000,tcp,alert,"foo.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3422463820,0x0,CH,10.0.0.0-10.255.255.255,0,,1200269920802300355,, +<12>Jan 5 11:31:17 PAN1.exampleCustomer.com 1,2015/01/05 11:31:17,0011C103117,THREAT,vulnerability,1,2015/01/05 11:31:17,31.0.0.198,10.0.0.56,0.0.0.0,0.0.0.0,EX-Allow,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 11:31:17,33936654,1,55325,443,0,0,0x80004000,tcp,alert,"*.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3422463061,0x0,CH,10.0.0.0-10.255.255.255,0,,1344385108878191554,, +<12>Jan 5 11:07:20 PAN1.exampleCustomer.com 1,2015/01/05 11:07:20,0011C103117,THREAT,vulnerability,1,2015/01/05 11:07:20,31.0.0.198,10.0.0.70,0.0.0.0,0.0.0.0,EX-EasyAV,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 11:07:20,142520,1,55325,443,0,0,0x4000,tcp,alert,"fizzbuzz.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3422395620,0x0,CH,10.0.0.0-10.255.255.255,0,,0,, +<10>Jan 5 10:04:06 PAN1 1,2015/01/05 10:04:05,009401011564,THREAT,vulnerability,1,2015/01/05 10:04:05,10.0.0.38,10.2.0.20,0.0.0.0,0.0.0.0,INT_out,,,ms-ds-smb,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 10:04:05,58977,1,43882,445,0,0,0x80004000,tcp,reset-both,"",Microsoft Windows SMBv2 Remote Code Execution Vulnerability(32541),any,critical,client-to-server,733556,0x0,Unknown,Unknown,0,,1200515273392656603,, +<11>Jan 5 11:20:02 PAN1 1,2015/01/05 11:20:02,009401011564,THREAT,vulnerability,1,2015/01/05 11:20:02,10.0.0.131,10.1.0.42,0.0.0.0,0.0.0.0,INT_out,,,sccp,vsys1,v_internal,v_external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 11:20:02,25219,1,49569,2000,0,0,0x80004000,tcp,reset-both,"",Digium Asterisk Skinny Channel NULL-Pointer Dereference Vulnerability(35378),any,high,client-to-server,735575,0x0,Unknown,Unknown,0,,1200515273392656605,, +<11>Jan 5 12:31:01 PAN1.exampleCustomer.com 1,2015/01/05 12:31:01,0006C110285,THREAT,vulnerability,1,2015/01/05 12:31:01,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:31:01,12971,1,56879,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=160x600&id=14;tile=1;ord=339DEA400FDFBF9127DA196347F1",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347631498,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109742,, +<11>Jan 5 12:31:01 PAN1.exampleCustomer.com 1,2015/01/05 12:31:01,0006C110285,THREAT,vulnerability,1,2015/01/05 12:31:01,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:31:01,52846,1,56881,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=160x600&id=14;tile=1;ord=A501E1CAA93F3B256222F902C051",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347631499,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109743,, +<11>Jan 5 12:31:01 PAN1.exampleCustomer.com 1,2015/01/05 12:31:01,0006C110285,THREAT,vulnerability,1,2015/01/05 12:31:01,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:31:01,132,1,56880,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=A01019D3E75E253C81B9DBE60AF0",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347631500,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109744,, +<11>Jan 5 11:39:28 PAN1.exampleCustomer.com 1,2015/01/05 11:39:28,0006C110285,THREAT,vulnerability,1,2015/01/05 11:39:28,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 11:39:28,55273,1,55241,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=160x600&id=13;tile=1;ord=F20325FB397BD62AFCE60C004651",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347599433,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109725,, +<11>Jan 5 12:09:04 PAN1.exampleCustomer.com 1,2015/01/05 12:09:03,0006C110285,THREAT,vulnerability,1,2015/01/05 12:09:03,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:09:03,40131,1,61994,80,0,0,0x80004000,tcp,reset-both,"ad.aspx?f=300x250&id=12;tile=1;ord=9C998477823511B311AA24EC53D6",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347617382,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109736,, +<12>Jan 5 13:45:24 PAN1.exampleCustomer.com 1,2015/01/05 13:45:23,0011C103117,THREAT,vulnerability,1,2015/01/05 13:45:23,31.0.0.198,10.0.0.60,0.0.0.0,0.0.0.0,EX-Allow,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 13:45:23,179279,1,55325,443,0,0,0x80004000,tcp,alert,"*.exampleCustomer.com/",Unknown(36397),any,medium,client-to-server,3423036992,0x0,CH,10.0.0.0-10.255.255.255,0,,1200269920802300367,, +<12>Jan 5 13:45:24 PAN1.exampleCustomer.com 1,2015/01/05 13:45:23,0011C103117,THREAT,vulnerability,1,2015/01/05 13:45:23,10.0.0.10,10.1.0.81,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,twitter-base,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 13:45:23,32298,1,55325,443,0,0,0x80004000,tcp,alert,"*.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3423036994,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,1200269920802300369,, +<10>Jan 5 04:24:30 PAN1.exampleCustomer.com 1,2015/01/05 04:24:29,009401009421,THREAT,spyware,1,2015/01/05 04:24:29,10.0.0.67,54.0.0.133,68.1.100.154,54.0.0.133,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:24:29,18282,1,49800,80,13532,80,0x400000,tcp,reset-both,"install.ashx",WGeneric.Gen Command and Control Traffic(13600),any,critical,client-to-server,3875271,0x0,10.0.0.0-10.255.255.255,US,0,,0,, +<12>Jan 5 11:32:12 PAN1.exampleCustomer.com 1,2015/01/05 11:32:12,0011C103117,THREAT,vulnerability,1,2015/01/05 11:32:12,31.0.0.198,10.0.0.102,0.0.0.0,0.0.0.0,EX-Allow,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 11:32:12,255259,1,55325,443,0,0,0x80004000,tcp,alert,"foo.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3422465396,0x0,CH,10.0.0.0-10.255.255.255,0,,1200269920802300360,, +<12>Jan 5 11:31:46 PAN1.exampleCustomer.com 1,2015/01/05 11:31:46,0011C103117,THREAT,vulnerability,1,2015/01/05 11:31:46,31.0.0.198,10.0.0.50,0.0.0.0,0.0.0.0,EX-Allow,,,twitter-base,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 11:31:46,33699961,1,55325,443,0,0,0x80004000,tcp,alert,"*.exampleCustomer.com/",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,3422464320,0x0,CH,10.0.0.0-10.255.255.255,0,,1344385108878191555,, +<12>Jan 5 11:36:03 PAN1.exampleCustomer.com 1,2015/01/05 11:36:02,0006C113555,THREAT,vulnerability,1,2015/01/05 11:36:02,10.0.0.62,10.1.0.11,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,msrpc,vsys1,Inside,Inside,ethernet1/4,tunnel.1,LOG-Default,2015/01/05 11:36:02,16469,1,51461,445,0,0,0x80004000,tcp,alert,"",Microsoft DCE RPC Big Endian Evasion Vulnerability(33510),any,medium,client-to-server,46375536,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,1200283142590569503,, +<11>Jan 5 13:26:50 PAN1.exampleCustomer.com 1,2015/01/05 13:26:49,0011C103117,THREAT,vulnerability,1,2015/01/05 13:26:49,10.0.0.167,10.1.0.41,0.0.0.0,0.0.0.0,EX-EasyAV,example\user.name.hernandez,,ssh,vsys1,v_internal,v_external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 13:26:49,121926,1,49754,9101,0,0,0x4000,tcp,reset-both,"",SSH User Authentication Brute-force Attempt(40015),any,high,client-to-server,3422922092,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,,0,, +<11>Jan 5 10:18:37 NTOR1FWPAN1 1,2015/01/05 10:18:37,009401008933,THREAT,vulnerability,1,2015/01/05 10:18:37,10.0.0.50,54.0.0.7,38.140.11.98,54.0.0.7,TOR-outbound,,,web-browsing,vsys1,Inside,Outside,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 10:18:37,7226,1,51724,80,58706,80,0x80400000,tcp,reset-both,"_PhotoXML.php",Microsoft Office Sharepoint Server Elevation of Privilege Vulnerability(32001),any,high,client-to-server,1252593,0x0,10.0.0.0-10.255.255.255,US,0,,1200584606076633093,, +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_dmz-internal,v_dmz-external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 12:51:33,34103936,1,54270,40004,0,0,0x401c,tcp,allow,5385,3299,2086,26,2015/01/05 12:51:01,30,any,0,17754932047,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,15 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.22,10.1.0.28,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,vmware,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33888863,1,62961,902,0,0,0x4019,udp,allow,108,108,0,1,2015/01/05 12:51:01,30,any,0,17754932051,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,0 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,172.13.0.2,10.0.0.32,0.0.0.0,0.0.0.0,EX-Allow,,,dns,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33841444,1,17294,53,0,0,0x4019,udp,allow,94,94,0,1,2015/01/05 12:51:01,30,any,0,17754932054,0x0,US,10.0.0.0-10.255.255.255,0,1,0 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,71.0.0.174,10.0.0.32,0.0.0.0,0.0.0.0,EX-Allow,,,dns,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33992062,1,57783,53,0,0,0x4019,udp,allow,247,86,161,2,2015/01/05 12:51:01,30,any,0,17754932055,0x0,US,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,58.0.0.196,10.0.0.17,0.0.0.0,0.0.0.0,EX-Allow,,,ssl,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,34310602,1,25678,443,0,0,0x4053,tcp,allow,21935,11456,10479,44,2015/01/05 12:48:44,167,EX-Allowed,0,17754932059,0x0,IN,10.0.0.0-10.255.255.255,0,20,24 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33760927,1,52688,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932062,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,4 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33595018,1,52689,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932064,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,4 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.7,10.1.0.81,0.0.0.0,0.0.0.0,EX-Allow,,,netbios-ns,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,34098107,1,137,137,0,0,0x4019,udp,allow,532,220,312,6,2015/01/05 12:51:01,30,any,0,17754932070,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,3,3 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,34326343,1,52690,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932071,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,4 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,172.13.0.15,10.0.0.53,0.0.0.0,0.0.0.0,EX-EasyAV,,,eset-remote-admin,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33859365,1,23390,443,0,0,0x405e,tcp,allow,725,405,320,11,2015/01/05 12:51:01,30,any,0,17754932073,0x0,US,10.0.0.0-10.255.255.255,0,6,5 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,96.0.0.102,10.0.0.57,0.0.0.0,0.0.0.0,EX-Allow,,,ssl,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33924142,1,51230,443,0,0,0x4053,tcp,allow,18350,9280,9070,41,2015/01/05 12:51:01,30,EX-Allowed,0,17754932080,0x0,US,10.0.0.0-10.255.255.255,0,19,22 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,72.0.0.131,10.0.0.174,0.0.0.0,0.0.0.0,EX-Allow,,,ssl,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,34186774,1,28203,443,0,0,0x4053,tcp,allow,4121,2209,1912,20,2015/01/05 12:51:01,30,EX-Allowed,0,17754932086,0x0,US,10.0.0.0-10.255.255.255,0,10,10 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,216.0.10.244,10.0.0.53,0.0.0.0,0.0.0.0,EX-EasyAV,,,ssl,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33988765,1,45150,443,0,0,0x401c,tcp,allow,626,358,268,9,2015/01/05 12:50:41,50,any,0,17754932095,0x0,US,10.0.0.0-10.255.255.255,0,5,4 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,172.12.216.82,10.0.0.53,0.0.0.0,0.0.0.0,EX-EasyAV,,,eset-update,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,33577240,1,3882,80,0,0,0x401c,tcp,allow,94947,2570,92377,106,2015/01/05 12:50:47,44,EX-Allowed,0,17754932107,0x0,US,10.0.0.0-10.255.255.255,0,38,68 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.33,10.1.0.85,0.0.0.0,0.0.0.0,EX-Allow,,,zabbix,vsys1,v_dmz-external,v_dmz-internal,ethernet1/3,ethernet1/4,LOG-Default,2015/01/05 12:51:33,34078885,1,46056,10050,0,0,0x405e,tcp,allow,728,367,361,11,2015/01/05 12:51:01,30,any,0,17754932117,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,5 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.11,10.1.0.33,0.0.0.0,0.0.0.0,EX-Allow,,,incomplete,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,34222137,1,59966,443,0,0,0x401c,tcp,allow,404,198,206,7,2015/01/05 12:51:01,30,any,0,17754932131,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,4,3 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.12,172.13.0.23,0.0.0.0,0.0.0.0,EX-Allow,,,dns,vsys1,v_dmz-internal,v_dmz-external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 12:51:33,33560784,1,52991,53,0,0,0x4019,udp,allow,815,96,719,2,2015/01/05 12:51:01,30,any,0,17754932142,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.52,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_dmz-internal,v_dmz-external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 12:51:33,109384,1,50721,40004,0,0,0x401c,tcp,allow,4211,2125,2086,25,2015/01/05 12:51:02,30,any,0,17754932194,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,10,15 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,134519,1,54273,40004,0,0,0x401c,tcp,allow,5375,3289,2086,26,2015/01/05 12:51:02,30,any,0,17754932204,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,15 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,15005,1,54268,40004,0,0,0x401c,tcp,allow,7084,3787,3297,26,2015/01/05 12:51:02,30,any,0,17754932228,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,15 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:33,0003C105690,TRAFFIC,drop,1,2015/01/05 12:51:33,10.0.0.219,10.3.0.21,0.0.0.0,0.0.0.0,catch all deny,,,not-applicable,vsys1,GuestAccess,trust,vlan.84,,LOG-Default,2015/01/05 12:51:33,0,1,62063,389,0,0,0x0,tcp,deny,70,70,0,1,2015/01/05 12:51:34,0,any,0,956329030,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,0 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C113555,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.217,172.13.0.168,186.225.121.238,172.13.0.168,Guest WiFi to Internet,,,skype-probe,vsys1,Guest WiFi,Ext_Internet,ethernet1/3.109,ethernet1/2,LOG-Default,2015/01/05 12:51:33,46888,1,11566,40023,55962,40023,0x404050,udp,allow,1446,79,1367,2,2015/01/05 12:51:03,0,any,0,265102737,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C113555,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.20,10.1.0.28,0.0.0.0,0.0.0.0,EX-Allow,,example\user.name,vmware,vsys1,Inside,Inside,ethernet1/4,tunnel.1,LOG-Default,2015/01/05 12:51:33,46821,1,61199,902,0,0,0x4019,udp,allow,108,108,0,1,2015/01/05 12:51:03,0,any,0,265102739,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,0 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:33,0003C105690,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.147,4.2.2.2,192.168.100.11,4.2.2.2,Guest_to_Internet,,,dns,vsys1,GuestAccess,untrust,vlan.84,vlan.200,LOG-Default,2015/01/05 12:51:33,188024,1,57269,53,59952,53,0x400019,udp,allow,194,73,121,2,2015/01/05 12:50:49,0,any,0,956329037,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.11,172.13.0.110,0.0.0.0,0.0.0.0,EX-Allow,,,dns,vsys1,v_internal,v_external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 12:51:33,51569,1,60390,53,0,0,0x4019,udp,allow,815,96,719,2,2015/01/05 12:51:02,30,any,0,17754932369,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.11,10.1.0.81,0.0.0.0,0.0.0.0,EX-Allow,,,ping,vsys1,v_dmz-internal,v_dmz-external,ethernet1/4,ethernet1/3,LOG-Default,2015/01/05 12:51:33,185459,1,0,0,0,0,0x4019,icmp,allow,120,60,60,2,2015/01/05 12:51:29,0,any,0,17754932372,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.11,10.1.0.44,0.0.0.0,0.0.0.0,EX-Allow,,,ping,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,84730,1,0,0,0,0,0x4019,icmp,allow,120,60,60,2,2015/01/05 12:51:29,0,any,0,17754932379,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C110285,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.73,10.1.0.12,0.0.0.0,0.0.0.0,EX-Allow,,,dns,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,12561,1,57334,53,0,0,0x4019,udp,allow,206,95,111,2,2015/01/05 12:51:03,0,any,0,803406326,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C110285,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.35,10.3.0.65,0.0.0.0,0.0.0.0,EX-Allow,,,web-browsing,vsys1,external,internal,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 12:51:33,3286,1,57095,80,0,0,0x401c,tcp,allow,3506,899,2607,12,2015/01/05 12:51:03,0,private-ip-addresses,0,803406334,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,7,5 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C110285,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.35,10.3.0.65,0.0.0.0,0.0.0.0,EX-Allow,,,web-browsing,vsys1,external,internal,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 12:51:33,42426,1,57096,80,0,0,0x401c,tcp,allow,3386,1390,1996,12,2015/01/05 12:51:03,0,private-ip-addresses,0,803406335,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,7,5 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0006C110285,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.35,10.3.0.65,0.0.0.0,0.0.0.0,EX-Allow,,,web-browsing,vsys1,external,internal,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 12:51:33,15733,1,57130,80,0,0,0x401c,tcp,allow,1661,926,735,12,2015/01/05 12:51:03,0,private-ip-addresses,0,803406337,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,7,5 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.11,10.1.0.60,0.0.0.0,0.0.0.0,EX-Allow,,,ping,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,239420,1,0,0,0,0,0x4019,icmp,allow,120,60,60,2,2015/01/05 12:51:29,0,any,0,17754932383,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 04:51:34 PAN1.exampleCustomer.com 1,2015/01/05 04:51:33,009401009421,TRAFFIC,end,1,2015/01/05 04:51:33,10.0.0.67,63.0.0.78,68.1.100.154,63.0.0.78,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:51:33,13687,1,53152,80,64294,80,0x40001c,tcp,allow,1039,576,463,12,2015/01/05 04:51:03,1,search-engines,0,8195211,0x0,10.0.0.0-10.255.255.255,US,0,6,6 +<14>Jan 5 04:51:34 PAN1.exampleCustomer.com 1,2015/01/05 04:51:33,009401009421,TRAFFIC,end,1,2015/01/05 04:51:33,10.0.0.67,77.0.0.59,68.1.100.154,77.0.0.59,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:51:33,36193,1,53155,80,48756,80,0x40001c,tcp,allow,946,540,406,10,2015/01/05 04:51:04,0,computer-and-internet-security,0,8195212,0x0,10.0.0.0-10.255.255.255,CZ,0,5,5 +<14>Jan 5 04:51:34 PAN1.exampleCustomer.com 1,2015/01/05 04:51:33,009401009421,TRAFFIC,end,1,2015/01/05 04:51:33,10.0.0.67,63.0.0.78,68.1.100.154,63.0.0.78,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:51:33,8727,1,53154,80,6852,80,0x40001c,tcp,allow,1039,576,463,12,2015/01/05 04:51:04,0,search-engines,0,8195213,0x0,10.0.0.0-10.255.255.255,US,0,6,6 +<14>Jan 5 04:51:34 PAN1.exampleCustomer.com 1,2015/01/05 04:51:33,009401009421,TRAFFIC,end,1,2015/01/05 04:51:33,10.0.0.67,77.0.0.59,68.1.100.154,77.0.0.59,EX-Allow,,,web-browsing,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:51:33,16955,1,53153,80,19440,80,0x40001c,tcp,allow,946,540,406,10,2015/01/05 04:51:03,1,computer-and-internet-security,0,8195216,0x0,10.0.0.0-10.255.255.255,CZ,0,5,5 +<14>Jan 5 04:51:34 PAN1.exampleCustomer.com 1,2015/01/05 04:51:33,009401009421,TRAFFIC,end,1,2015/01/05 04:51:33,10.0.0.101,23.200,10,217,68.0.0.154,23.200,10,217,EX-WebControlRestrict,,,itunes-base,vsys1,internal,external,ethernet1/1,ethernet1/2,LOG-Default,2015/01/05 04:51:33,14851,1,55137,443,29553,443,0x400019,tcp,allow,654,580,74,7,2015/01/05 04:50:34,0,shopping,0,8195217,0x0,10.0.0.0-10.255.255.255,US,0,6,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,0006C113555,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.46,172.13.0.2,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,incomplete,vsys1,Inside,Inside,ethernet1/4,tunnel.1,LOG-Default,2015/01/05 12:51:34,57850,1,65286,139,0,0,0x4019,tcp,allow,62,62,0,1,2015/01/05 12:51:29,0,any,0,265102746,0x0,10.0.0.0-10.255.255.255,192.168.0.0-192.168.255.255,0,1,0 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:34,0003C105690,TRAFFIC,end,1,2015/01/05 12:51:34,216.0.10.194,192.168.100.11,0.0.0.0,0.0.0.0,Internet to Internet,,,insufficient-data,vsys1,untrust,untrust,vlan.200,vlan.200,LOG-Default,2015/01/05 12:51:34,259007,1,80,11347,0,0,0xc,udp,allow,90,90,0,1,2015/01/05 12:50:25,0,any,0,956329050,0x0,US,US,0,1,0 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:34,0003C105690,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.147,4.2.2.2,192.168.100.11,4.2.2.2,Guest_to_Internet,,,dns,vsys1,GuestAccess,untrust,vlan.84,vlan.200,LOG-Default,2015/01/05 12:51:34,13024,1,56694,53,51398,53,0x400019,udp,allow,222,82,140,2,2015/01/05 12:50:49,0,any,0,956329055,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:34,0003C105690,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.147,4.2.2.2,192.168.100.11,4.2.2.2,Guest_to_Internet,,,dns,vsys1,GuestAccess,untrust,vlan.84,vlan.200,LOG-Default,2015/01/05 12:51:34,62999,1,58277,53,5576,53,0x400019,udp,allow,328,96,232,2,2015/01/05 12:50:49,0,any,0,956329056,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,001606007155,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.156,96.0.0.138,172.13.0.35,96.0.0.138,EX-Allow,example\user.name,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:34,61348,1,65231,80,48623,80,0x40401a,tcp,allow,50316,4297,46019,67,2015/01/05 12:51:03,1,travel,0,179851307,0x0,10.0.0.0-10.255.255.255,US,0,28,39 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,001606007155,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.148,96.0.0.35,172.13.0.35,96.0.0.35,EX-Allow,example\user.name,,symantec-av-update,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:34,61220,1,60900,80,12964,80,0x40401a,tcp,allow,39350,3087,36263,56,2015/01/05 12:50:07,57,computer-and-internet-security,0,179851311,0x0,10.0.0.0-10.255.255.255,US,0,23,33 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:34,009401003136,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.138,213.0.10.101,172.13.0.142,213.0.10.101,Outbound,,,ssl,vsys1,internal,external,ethernet1/4,ethernet1/1,LOG-Default,2015/01/05 12:51:34,62600,1,55014,443,22537,443,0x40001c,tcp,allow,2956,1853,1103,20,2015/01/05 12:51:04,0,travel,0,54644537,0x0,10.0.0.0-10.255.255.255,CH,0,9,11 +<14>Jan 5 12:51:34 PAN1 1,2015/01/05 12:51:34,009401003136,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.138,213.0.10.101,172.13.0.142,213.0.10.101,Outbound,,,ssl,vsys1,internal,external,ethernet1/4,ethernet1/1,LOG-Default,2015/01/05 12:51:34,45328,1,55025,443,48646,443,0x40001c,tcp,allow,2828,1845,983,18,2015/01/05 12:51:04,0,travel,0,54644544,0x0,10.0.0.0-10.255.255.255,CH,0,9,9 +<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,0004C103634,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.165,93.0.0.200,0.0.0.0,0.0.0.0,EX-Allow,example\user.name,,ssl,vsys1,v_internal,v_external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:34,15787,1,53105,443,0,0,0x4053,tcp,allow,10222,1275,8947,22,2015/01/05 12:48:03,181,business-and-economy,0,307579464,0x0,10.0.0.0-10.255.255.255,EU,0,10,12 +<14>Jan 5 12:51:35 PAN1 1,2015/01/05 12:51:34,0003C105690,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.11,10.3.0.26,0.0.0.0,0.0.0.0,ICMP DMZ to In,,,ping,vsys1,F5_DMZ_WAN,trust,vlan.81,vlan.399,LOG-Default,2015/01/05 12:51:34,33876,1,0,0,0,0,0x19,icmp,allow,128,64,64,2,2015/01/05 12:51:20,0,any,0,956329058,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,1,1 +<14>Jan 5 12:51:35 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,0006C113555,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.53,8.8.8.8,172.13.0.238,8.8.8.8,Guest WiFi to Internet,,,dns,vsys1,Guest WiFi,Ext_Internet,ethernet1/3.109,ethernet1/2,LOG-Default,2015/01/05 12:51:34,53079,1,59288,53,31746,53,0x404019,udp,allow,194,91,103,2,2015/01/05 12:51:04,0,any,0,265102750,0x0,10.0.0.0-10.255.255.255,US,0,1,1 +<14>Jan 5 12:51:35 PAN1.exampleCustomer.com 1,2015/01/05 12:51:34,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:34,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:34,141372,1,54279,40004,0,0,0x401c,tcp,allow,3783,1697,2086,25,2015/01/05 12:51:03,30,any,0,17754932394,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,10,15 diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/TopologyConfigs_old/lancope.conf b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/TopologyConfigs_old/lancope.conf index dde089fa1f..c0487d233e 100644 --- a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/TopologyConfigs_old/lancope.conf +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/TopologyConfigs_old/lancope.conf @@ -30,8 +30,8 @@ bolt.alerts.cluster=preprod #Host Enrichment bolt.enrichment.host.num.tasks=1 bolt.enrichment.host.parallelism.hint=1 -bolt.enrichment.host.MAX_CACHE_SIZE=10000 -bolt.enrichment.host.MAX_TIME_RETAIN=10 +bolt.enrichment.host.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.host.MAX_TIME_RETAIN_MINUTES=10 bolt.enrichment.host.enrichment_tag=host bolt.enrichment.host.source_ip=ip_src_addr bolt.enrichment.host.resp_ip=ip_dst_addr @@ -43,16 +43,16 @@ bolt.enrichment.geo.enrichment_tag=geo bolt.enrichment.geo.source_ip=ip_src_addr bolt.enrichment.geo.resp_ip=ip_dst_addr bolt.enrichment.geo.adapter.table=GEO -bolt.enrichment.geo.MAX_CACHE_SIZE=10000 -bolt.enrichment.geo.MAX_TIME_RETAIN=10 +bolt.enrichment.geo.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.geo.MAX_TIME_RETAIN_MINUTES=10 #WhoisEnrichment bolt.enrichment.whois.num.tasks=1 bolt.enrichment.whois.parallelism.hint=1 bolt.enrichment.whois.whois_enrichment_tag=whois_enrichment bolt.enrichment.whois.source=host\":\"(.*?)\" -bolt.enrichment.whois.MAX_CACHE_SIZE=10000 -bolt.enrichment.whois.MAX_TIME_RETAIN=10 +bolt.enrichment.whois.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.whois.MAX_TIME_RETAIN_MINUTES=10 #CIF Enrichment bolt.enrichment.cif.tablename=cif_table @@ -62,8 +62,8 @@ bolt.enrichment.cif.source_ip=id.orig_h bolt.enrichment.cif.resp_ip=id.resp_h bolt.enrichment.cif.host=host bolt.enrichment.cif.email=email -bolt.enrichment.cif.MAX_CACHE_SIZE=10000 -bolt.enrichment.cif.MAX_TIME_RETAIN=10 +bolt.enrichment.cif.MAX_CACHE_SIZE_OBJECTS_NUM=10000 +bolt.enrichment.cif.MAX_TIME_RETAIN_MINUTES=10 #Indexing Bolt diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/effective_tld_names.dat b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/effective_tld_names.dat new file mode 100644 index 0000000000..36e5d4c1c8 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/effective_tld_names.dat @@ -0,0 +1,9719 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// ===BEGIN ICANN DOMAINS=== + +// ac : http://en.wikipedia.org/wiki/.ac +ac +com.ac +edu.ac +gov.ac +net.ac +mil.ac +org.ac + +// ad : http://en.wikipedia.org/wiki/.ad +ad +nom.ad + +// ae : http://en.wikipedia.org/wiki/.ae +// see also: "Domain Name Eligibility Policy" at http://www.aeda.ae/eng/aepolicy.php +ae +co.ae +net.ae +org.ae +sch.ae +ac.ae +gov.ae +mil.ae + +// aero : see http://www.information.aero/index.php?id=66 +aero +accident-investigation.aero +accident-prevention.aero +aerobatic.aero +aeroclub.aero +aerodrome.aero +agents.aero +aircraft.aero +airline.aero +airport.aero +air-surveillance.aero +airtraffic.aero +air-traffic-control.aero +ambulance.aero +amusement.aero +association.aero +author.aero +ballooning.aero +broker.aero +caa.aero +cargo.aero +catering.aero +certification.aero +championship.aero +charter.aero +civilaviation.aero +club.aero +conference.aero +consultant.aero +consulting.aero +control.aero +council.aero +crew.aero +design.aero +dgca.aero +educator.aero +emergency.aero +engine.aero +engineer.aero +entertainment.aero +equipment.aero +exchange.aero +express.aero +federation.aero +flight.aero +freight.aero +fuel.aero +gliding.aero +government.aero +groundhandling.aero +group.aero +hanggliding.aero +homebuilt.aero +insurance.aero +journal.aero +journalist.aero +leasing.aero +logistics.aero +magazine.aero +maintenance.aero +marketplace.aero +media.aero +microlight.aero +modelling.aero +navigation.aero +parachuting.aero +paragliding.aero +passenger-association.aero +pilot.aero +press.aero +production.aero +recreation.aero +repbody.aero +res.aero +research.aero +rotorcraft.aero +safety.aero +scientist.aero +services.aero +show.aero +skydiving.aero +software.aero +student.aero +taxi.aero +trader.aero +trading.aero +trainer.aero +union.aero +workinggroup.aero +works.aero + +// af : http://www.nic.af/help.jsp +af +gov.af +com.af +org.af +net.af +edu.af + +// ag : http://www.nic.ag/prices.htm +ag +com.ag +org.ag +net.ag +co.ag +nom.ag + +// ai : http://nic.com.ai/ +ai +off.ai +com.ai +net.ai +org.ai + +// al : http://www.ert.gov.al/ert_alb/faq_det.html?Id=31 +al +com.al +edu.al +gov.al +mil.al +net.al +org.al + +// am : http://en.wikipedia.org/wiki/.am +am + +// an : http://www.una.an/an_domreg/default.asp +an +com.an +net.an +org.an +edu.an + +// ao : http://en.wikipedia.org/wiki/.ao +// http://www.dns.ao/REGISTR.DOC +ao +ed.ao +gv.ao +og.ao +co.ao +pb.ao +it.ao + +// aq : http://en.wikipedia.org/wiki/.aq +aq + +// ar : https://nic.ar/normativa-vigente.xhtml +ar +com.ar +edu.ar +gob.ar +gov.ar +int.ar +mil.ar +net.ar +org.ar +tur.ar + +// arpa : http://en.wikipedia.org/wiki/.arpa +// Confirmed by registry 2008-06-18 +arpa +e164.arpa +in-addr.arpa +ip6.arpa +iris.arpa +uri.arpa +urn.arpa + +// as : http://en.wikipedia.org/wiki/.as +as +gov.as + +// asia : http://en.wikipedia.org/wiki/.asia +asia + +// at : http://en.wikipedia.org/wiki/.at +// Confirmed by registry 2008-06-17 +at +ac.at +co.at +gv.at +or.at + +// au : http://en.wikipedia.org/wiki/.au +// http://www.auda.org.au/ +au +// 2LDs +com.au +net.au +org.au +edu.au +gov.au +asn.au +id.au +// Historic 2LDs (closed to new registration, but sites still exist) +info.au +conf.au +oz.au +// CGDNs - http://www.cgdn.org.au/ +act.au +nsw.au +nt.au +qld.au +sa.au +tas.au +vic.au +wa.au +// 3LDs +act.edu.au +nsw.edu.au +nt.edu.au +qld.edu.au +sa.edu.au +tas.edu.au +vic.edu.au +wa.edu.au +// act.gov.au Bug 984824 - Removed at request of Greg Tankard +// nsw.gov.au Bug 547985 - Removed at request of +// nt.gov.au Bug 940478 - Removed at request of Greg Connors +qld.gov.au +sa.gov.au +tas.gov.au +vic.gov.au +wa.gov.au + +// aw : http://en.wikipedia.org/wiki/.aw +aw +com.aw + +// ax : http://en.wikipedia.org/wiki/.ax +ax + +// az : http://en.wikipedia.org/wiki/.az +az +com.az +net.az +int.az +gov.az +org.az +edu.az +info.az +pp.az +mil.az +name.az +pro.az +biz.az + +// ba : http://en.wikipedia.org/wiki/.ba +ba +org.ba +net.ba +edu.ba +gov.ba +mil.ba +unsa.ba +unbi.ba +co.ba +com.ba +rs.ba + +// bb : http://en.wikipedia.org/wiki/.bb +bb +biz.bb +co.bb +com.bb +edu.bb +gov.bb +info.bb +net.bb +org.bb +store.bb +tv.bb + +// bd : http://en.wikipedia.org/wiki/.bd +*.bd + +// be : http://en.wikipedia.org/wiki/.be +// Confirmed by registry 2008-06-08 +be +ac.be + +// bf : http://en.wikipedia.org/wiki/.bf +bf +gov.bf + +// bg : http://en.wikipedia.org/wiki/.bg +// https://www.register.bg/user/static/rules/en/index.html +bg +a.bg +b.bg +c.bg +d.bg +e.bg +f.bg +g.bg +h.bg +i.bg +j.bg +k.bg +l.bg +m.bg +n.bg +o.bg +p.bg +q.bg +r.bg +s.bg +t.bg +u.bg +v.bg +w.bg +x.bg +y.bg +z.bg +0.bg +1.bg +2.bg +3.bg +4.bg +5.bg +6.bg +7.bg +8.bg +9.bg + +// bh : http://en.wikipedia.org/wiki/.bh +bh +com.bh +edu.bh +net.bh +org.bh +gov.bh + +// bi : http://en.wikipedia.org/wiki/.bi +// http://whois.nic.bi/ +bi +co.bi +com.bi +edu.bi +or.bi +org.bi + +// biz : http://en.wikipedia.org/wiki/.biz +biz + +// bj : http://en.wikipedia.org/wiki/.bj +bj +asso.bj +barreau.bj +gouv.bj + +// bm : http://www.bermudanic.bm/dnr-text.txt +bm +com.bm +edu.bm +gov.bm +net.bm +org.bm + +// bn : http://en.wikipedia.org/wiki/.bn +*.bn + +// bo : http://www.nic.bo/ +bo +com.bo +edu.bo +gov.bo +gob.bo +int.bo +org.bo +net.bo +mil.bo +tv.bo + +// br : http://registro.br/dominio/categoria.html +// Submitted by registry 2014-08-11 +br +adm.br +adv.br +agr.br +am.br +arq.br +art.br +ato.br +b.br +bio.br +blog.br +bmd.br +cim.br +cng.br +cnt.br +com.br +coop.br +ecn.br +eco.br +edu.br +emp.br +eng.br +esp.br +etc.br +eti.br +far.br +flog.br +fm.br +fnd.br +fot.br +fst.br +g12.br +ggf.br +gov.br +imb.br +ind.br +inf.br +jor.br +jus.br +leg.br +lel.br +mat.br +med.br +mil.br +mp.br +mus.br +net.br +*.nom.br +not.br +ntr.br +odo.br +org.br +ppg.br +pro.br +psc.br +psi.br +qsl.br +radio.br +rec.br +slg.br +srv.br +taxi.br +teo.br +tmp.br +trd.br +tur.br +tv.br +vet.br +vlog.br +wiki.br +zlg.br + +// bs : http://www.nic.bs/rules.html +bs +com.bs +net.bs +org.bs +edu.bs +gov.bs + +// bt : http://en.wikipedia.org/wiki/.bt +bt +com.bt +edu.bt +gov.bt +net.bt +org.bt + +// bv : No registrations at this time. +// Submitted by registry 2006-06-16 +bv + +// bw : http://en.wikipedia.org/wiki/.bw +// http://www.gobin.info/domainname/bw.doc +// list of other 2nd level tlds ? +bw +co.bw +org.bw + +// by : http://en.wikipedia.org/wiki/.by +// http://tld.by/rules_2006_en.html +// list of other 2nd level tlds ? +by +gov.by +mil.by +// Official information does not indicate that com.by is a reserved +// second-level domain, but it's being used as one (see www.google.com.by and +// www.yahoo.com.by, for example), so we list it here for safety's sake. +com.by + +// http://hoster.by/ +of.by + +// bz : http://en.wikipedia.org/wiki/.bz +// http://www.belizenic.bz/ +bz +com.bz +net.bz +org.bz +edu.bz +gov.bz + +// ca : http://en.wikipedia.org/wiki/.ca +ca +// ca geographical names +ab.ca +bc.ca +mb.ca +nb.ca +nf.ca +nl.ca +ns.ca +nt.ca +nu.ca +on.ca +pe.ca +qc.ca +sk.ca +yk.ca +// gc.ca: http://en.wikipedia.org/wiki/.gc.ca +// see also: http://registry.gc.ca/en/SubdomainFAQ +gc.ca + +// cat : http://en.wikipedia.org/wiki/.cat +cat + +// cc : http://en.wikipedia.org/wiki/.cc +cc + +// cd : http://en.wikipedia.org/wiki/.cd +// see also: https://www.nic.cd/domain/insertDomain_2.jsp?act=1 +cd +gov.cd + +// cf : http://en.wikipedia.org/wiki/.cf +cf + +// cg : http://en.wikipedia.org/wiki/.cg +cg + +// ch : http://en.wikipedia.org/wiki/.ch +ch + +// ci : http://en.wikipedia.org/wiki/.ci +// http://www.nic.ci/index.php?page=charte +ci +org.ci +or.ci +com.ci +co.ci +edu.ci +ed.ci +ac.ci +net.ci +go.ci +asso.ci +aéroport.ci +int.ci +presse.ci +md.ci +gouv.ci + +// ck : http://en.wikipedia.org/wiki/.ck +*.ck +!www.ck + +// cl : http://en.wikipedia.org/wiki/.cl +cl +gov.cl +gob.cl +co.cl +mil.cl + +// cm : http://en.wikipedia.org/wiki/.cm plus bug 981927 +cm +co.cm +com.cm +gov.cm +net.cm + +// cn : http://en.wikipedia.org/wiki/.cn +// Submitted by registry 2008-06-11 +cn +ac.cn +com.cn +edu.cn +gov.cn +net.cn +org.cn +mil.cn +公司.cn +网络.cn +網絡.cn +// cn geographic names +ah.cn +bj.cn +cq.cn +fj.cn +gd.cn +gs.cn +gz.cn +gx.cn +ha.cn +hb.cn +he.cn +hi.cn +hl.cn +hn.cn +jl.cn +js.cn +jx.cn +ln.cn +nm.cn +nx.cn +qh.cn +sc.cn +sd.cn +sh.cn +sn.cn +sx.cn +tj.cn +xj.cn +xz.cn +yn.cn +zj.cn +hk.cn +mo.cn +tw.cn + +// co : http://en.wikipedia.org/wiki/.co +// Submitted by registry 2008-06-11 +co +arts.co +com.co +edu.co +firm.co +gov.co +info.co +int.co +mil.co +net.co +nom.co +org.co +rec.co +web.co + +// com : http://en.wikipedia.org/wiki/.com +com + +// coop : http://en.wikipedia.org/wiki/.coop +coop + +// cr : http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do +cr +ac.cr +co.cr +ed.cr +fi.cr +go.cr +or.cr +sa.cr + +// cu : http://en.wikipedia.org/wiki/.cu +cu +com.cu +edu.cu +org.cu +net.cu +gov.cu +inf.cu + +// cv : http://en.wikipedia.org/wiki/.cv +cv + +// cw : http://www.una.cw/cw_registry/ +// Confirmed by registry 2013-03-26 +cw +com.cw +edu.cw +net.cw +org.cw + +// cx : http://en.wikipedia.org/wiki/.cx +// list of other 2nd level tlds ? +cx +gov.cx + +// cy : http://en.wikipedia.org/wiki/.cy +*.cy + +// cz : http://en.wikipedia.org/wiki/.cz +cz + +// de : http://en.wikipedia.org/wiki/.de +// Confirmed by registry (with technical +// reservations) 2008-07-01 +de + +// dj : http://en.wikipedia.org/wiki/.dj +dj + +// dk : http://en.wikipedia.org/wiki/.dk +// Confirmed by registry 2008-06-17 +dk + +// dm : http://en.wikipedia.org/wiki/.dm +dm +com.dm +net.dm +org.dm +edu.dm +gov.dm + +// do : http://en.wikipedia.org/wiki/.do +do +art.do +com.do +edu.do +gob.do +gov.do +mil.do +net.do +org.do +sld.do +web.do + +// dz : http://en.wikipedia.org/wiki/.dz +dz +com.dz +org.dz +net.dz +gov.dz +edu.dz +asso.dz +pol.dz +art.dz + +// ec : http://www.nic.ec/reg/paso1.asp +// Submitted by registry 2008-07-04 +ec +com.ec +info.ec +net.ec +fin.ec +k12.ec +med.ec +pro.ec +org.ec +edu.ec +gov.ec +gob.ec +mil.ec + +// edu : http://en.wikipedia.org/wiki/.edu +edu + +// ee : http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B +ee +edu.ee +gov.ee +riik.ee +lib.ee +med.ee +com.ee +pri.ee +aip.ee +org.ee +fie.ee + +// eg : http://en.wikipedia.org/wiki/.eg +eg +com.eg +edu.eg +eun.eg +gov.eg +mil.eg +name.eg +net.eg +org.eg +sci.eg + +// er : http://en.wikipedia.org/wiki/.er +*.er + +// es : https://www.nic.es/site_ingles/ingles/dominios/index.html +es +com.es +nom.es +org.es +gob.es +edu.es + +// et : http://en.wikipedia.org/wiki/.et +et +com.et +gov.et +org.et +edu.et +biz.et +name.et +info.et + +// eu : http://en.wikipedia.org/wiki/.eu +eu + +// fi : http://en.wikipedia.org/wiki/.fi +fi +// aland.fi : http://en.wikipedia.org/wiki/.ax +// This domain is being phased out in favor of .ax. As there are still many +// domains under aland.fi, we still keep it on the list until aland.fi is +// completely removed. +// TODO: Check for updates (expected to be phased out around Q1/2009) +aland.fi + +// fj : http://en.wikipedia.org/wiki/.fj +*.fj + +// fk : http://en.wikipedia.org/wiki/.fk +*.fk + +// fm : http://en.wikipedia.org/wiki/.fm +fm + +// fo : http://en.wikipedia.org/wiki/.fo +fo + +// fr : http://www.afnic.fr/ +// domaines descriptifs : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-descriptifs +fr +com.fr +asso.fr +nom.fr +prd.fr +presse.fr +tm.fr +// domaines sectoriels : http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-sectoriels +aeroport.fr +assedic.fr +avocat.fr +avoues.fr +cci.fr +chambagri.fr +chirurgiens-dentistes.fr +experts-comptables.fr +geometre-expert.fr +gouv.fr +greta.fr +huissier-justice.fr +medecin.fr +notaires.fr +pharmacien.fr +port.fr +veterinaire.fr + +// ga : http://en.wikipedia.org/wiki/.ga +ga + +// gb : This registry is effectively dormant +// Submitted by registry 2008-06-12 +gb + +// gd : http://en.wikipedia.org/wiki/.gd +gd + +// ge : http://www.nic.net.ge/policy_en.pdf +ge +com.ge +edu.ge +gov.ge +org.ge +mil.ge +net.ge +pvt.ge + +// gf : http://en.wikipedia.org/wiki/.gf +gf + +// gg : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +gg +co.gg +net.gg +org.gg + +// gh : http://en.wikipedia.org/wiki/.gh +// see also: http://www.nic.gh/reg_now.php +// Although domains directly at second level are not possible at the moment, +// they have been possible for some time and may come back. +gh +com.gh +edu.gh +gov.gh +org.gh +mil.gh + +// gi : http://www.nic.gi/rules.html +gi +com.gi +ltd.gi +gov.gi +mod.gi +edu.gi +org.gi + +// gl : http://en.wikipedia.org/wiki/.gl +// http://nic.gl +gl + +// gm : http://www.nic.gm/htmlpages%5Cgm-policy.htm +gm + +// gn : http://psg.com/dns/gn/gn.txt +// Submitted by registry 2008-06-17 +gn +ac.gn +com.gn +edu.gn +gov.gn +org.gn +net.gn + +// gov : http://en.wikipedia.org/wiki/.gov +gov + +// gp : http://www.nic.gp/index.php?lang=en +gp +com.gp +net.gp +mobi.gp +edu.gp +org.gp +asso.gp + +// gq : http://en.wikipedia.org/wiki/.gq +gq + +// gr : https://grweb.ics.forth.gr/english/1617-B-2005.html +// Submitted by registry 2008-06-09 +gr +com.gr +edu.gr +net.gr +org.gr +gov.gr + +// gs : http://en.wikipedia.org/wiki/.gs +gs + +// gt : http://www.gt/politicas_de_registro.html +gt +com.gt +edu.gt +gob.gt +ind.gt +mil.gt +net.gt +org.gt + +// gu : http://gadao.gov.gu/registration.txt +*.gu + +// gw : http://en.wikipedia.org/wiki/.gw +gw + +// gy : http://en.wikipedia.org/wiki/.gy +// http://registry.gy/ +gy +co.gy +com.gy +net.gy + +// hk : https://www.hkdnr.hk +// Submitted by registry 2008-06-11 +hk +com.hk +edu.hk +gov.hk +idv.hk +net.hk +org.hk +公司.hk +教育.hk +敎育.hk +政府.hk +個人.hk +个人.hk +箇人.hk +網络.hk +网络.hk +组織.hk +網絡.hk +网絡.hk +组织.hk +組織.hk +組织.hk + +// hm : http://en.wikipedia.org/wiki/.hm +hm + +// hn : http://www.nic.hn/politicas/ps02,,05.html +hn +com.hn +edu.hn +org.hn +net.hn +mil.hn +gob.hn + +// hr : http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf +hr +iz.hr +from.hr +name.hr +com.hr + +// ht : http://www.nic.ht/info/charte.cfm +ht +com.ht +shop.ht +firm.ht +info.ht +adult.ht +net.ht +pro.ht +org.ht +med.ht +art.ht +coop.ht +pol.ht +asso.ht +edu.ht +rel.ht +gouv.ht +perso.ht + +// hu : http://www.domain.hu/domain/English/sld.html +// Confirmed by registry 2008-06-12 +hu +co.hu +info.hu +org.hu +priv.hu +sport.hu +tm.hu +2000.hu +agrar.hu +bolt.hu +casino.hu +city.hu +erotica.hu +erotika.hu +film.hu +forum.hu +games.hu +hotel.hu +ingatlan.hu +jogasz.hu +konyvelo.hu +lakas.hu +media.hu +news.hu +reklam.hu +sex.hu +shop.hu +suli.hu +szex.hu +tozsde.hu +utazas.hu +video.hu + +// id : https://register.pandi.or.id/ +id +ac.id +biz.id +co.id +desa.id +go.id +mil.id +my.id +net.id +or.id +sch.id +web.id + +// ie : http://en.wikipedia.org/wiki/.ie +ie +gov.ie + +// il : http://en.wikipedia.org/wiki/.il +*.il + +// im : https://www.nic.im/ +// Submitted by registry 2013-11-15 +im +ac.im +co.im +com.im +ltd.co.im +net.im +org.im +plc.co.im +tt.im +tv.im + +// in : http://en.wikipedia.org/wiki/.in +// see also: https://registry.in/Policies +// Please note, that nic.in is not an offical eTLD, but used by most +// government institutions. +in +co.in +firm.in +net.in +org.in +gen.in +ind.in +nic.in +ac.in +edu.in +res.in +gov.in +mil.in + +// info : http://en.wikipedia.org/wiki/.info +info + +// int : http://en.wikipedia.org/wiki/.int +// Confirmed by registry 2008-06-18 +int +eu.int + +// io : http://www.nic.io/rules.html +// list of other 2nd level tlds ? +io +com.io + +// iq : http://www.cmc.iq/english/iq/iqregister1.htm +iq +gov.iq +edu.iq +mil.iq +com.iq +org.iq +net.iq + +// ir : http://www.nic.ir/Terms_and_Conditions_ir,_Appendix_1_Domain_Rules +// Also see http://www.nic.ir/Internationalized_Domain_Names +// Two .ir entries added at request of , 2010-04-16 +ir +ac.ir +co.ir +gov.ir +id.ir +net.ir +org.ir +sch.ir +// xn--mgba3a4f16a.ir (.ir, Persian YEH) +ایران.ir +// xn--mgba3a4fra.ir (.ir, Arabic YEH) +ايران.ir + +// is : http://www.isnic.is/domain/rules.php +// Confirmed by registry 2008-12-06 +is +net.is +com.is +edu.is +gov.is +org.is +int.is + +// it : http://en.wikipedia.org/wiki/.it +it +gov.it +edu.it +// Reserved geo-names: +// http://www.nic.it/documenti/regolamenti-e-linee-guida/regolamento-assegnazione-versione-6.0.pdf +// There is also a list of reserved geo-names corresponding to Italian municipalities +// http://www.nic.it/documenti/appendice-c.pdf, but it is not included here. +// Regions +abr.it +abruzzo.it +aosta-valley.it +aostavalley.it +bas.it +basilicata.it +cal.it +calabria.it +cam.it +campania.it +emilia-romagna.it +emiliaromagna.it +emr.it +friuli-v-giulia.it +friuli-ve-giulia.it +friuli-vegiulia.it +friuli-venezia-giulia.it +friuli-veneziagiulia.it +friuli-vgiulia.it +friuliv-giulia.it +friulive-giulia.it +friulivegiulia.it +friulivenezia-giulia.it +friuliveneziagiulia.it +friulivgiulia.it +fvg.it +laz.it +lazio.it +lig.it +liguria.it +lom.it +lombardia.it +lombardy.it +lucania.it +mar.it +marche.it +mol.it +molise.it +piedmont.it +piemonte.it +pmn.it +pug.it +puglia.it +sar.it +sardegna.it +sardinia.it +sic.it +sicilia.it +sicily.it +taa.it +tos.it +toscana.it +trentino-a-adige.it +trentino-aadige.it +trentino-alto-adige.it +trentino-altoadige.it +trentino-s-tirol.it +trentino-stirol.it +trentino-sud-tirol.it +trentino-sudtirol.it +trentino-sued-tirol.it +trentino-suedtirol.it +trentinoa-adige.it +trentinoaadige.it +trentinoalto-adige.it +trentinoaltoadige.it +trentinos-tirol.it +trentinostirol.it +trentinosud-tirol.it +trentinosudtirol.it +trentinosued-tirol.it +trentinosuedtirol.it +tuscany.it +umb.it +umbria.it +val-d-aosta.it +val-daosta.it +vald-aosta.it +valdaosta.it +valle-aosta.it +valle-d-aosta.it +valle-daosta.it +valleaosta.it +valled-aosta.it +valledaosta.it +vallee-aoste.it +valleeaoste.it +vao.it +vda.it +ven.it +veneto.it +// Provinces +ag.it +agrigento.it +al.it +alessandria.it +alto-adige.it +altoadige.it +an.it +ancona.it +andria-barletta-trani.it +andria-trani-barletta.it +andriabarlettatrani.it +andriatranibarletta.it +ao.it +aosta.it +aoste.it +ap.it +aq.it +aquila.it +ar.it +arezzo.it +ascoli-piceno.it +ascolipiceno.it +asti.it +at.it +av.it +avellino.it +ba.it +balsan.it +bari.it +barletta-trani-andria.it +barlettatraniandria.it +belluno.it +benevento.it +bergamo.it +bg.it +bi.it +biella.it +bl.it +bn.it +bo.it +bologna.it +bolzano.it +bozen.it +br.it +brescia.it +brindisi.it +bs.it +bt.it +bz.it +ca.it +cagliari.it +caltanissetta.it +campidano-medio.it +campidanomedio.it +campobasso.it +carbonia-iglesias.it +carboniaiglesias.it +carrara-massa.it +carraramassa.it +caserta.it +catania.it +catanzaro.it +cb.it +ce.it +cesena-forli.it +cesenaforli.it +ch.it +chieti.it +ci.it +cl.it +cn.it +co.it +como.it +cosenza.it +cr.it +cremona.it +crotone.it +cs.it +ct.it +cuneo.it +cz.it +dell-ogliastra.it +dellogliastra.it +en.it +enna.it +fc.it +fe.it +fermo.it +ferrara.it +fg.it +fi.it +firenze.it +florence.it +fm.it +foggia.it +forli-cesena.it +forlicesena.it +fr.it +frosinone.it +ge.it +genoa.it +genova.it +go.it +gorizia.it +gr.it +grosseto.it +iglesias-carbonia.it +iglesiascarbonia.it +im.it +imperia.it +is.it +isernia.it +kr.it +la-spezia.it +laquila.it +laspezia.it +latina.it +lc.it +le.it +lecce.it +lecco.it +li.it +livorno.it +lo.it +lodi.it +lt.it +lu.it +lucca.it +macerata.it +mantova.it +massa-carrara.it +massacarrara.it +matera.it +mb.it +mc.it +me.it +medio-campidano.it +mediocampidano.it +messina.it +mi.it +milan.it +milano.it +mn.it +mo.it +modena.it +monza-brianza.it +monza-e-della-brianza.it +monza.it +monzabrianza.it +monzaebrianza.it +monzaedellabrianza.it +ms.it +mt.it +na.it +naples.it +napoli.it +no.it +novara.it +nu.it +nuoro.it +og.it +ogliastra.it +olbia-tempio.it +olbiatempio.it +or.it +oristano.it +ot.it +pa.it +padova.it +padua.it +palermo.it +parma.it +pavia.it +pc.it +pd.it +pe.it +perugia.it +pesaro-urbino.it +pesarourbino.it +pescara.it +pg.it +pi.it +piacenza.it +pisa.it +pistoia.it +pn.it +po.it +pordenone.it +potenza.it +pr.it +prato.it +pt.it +pu.it +pv.it +pz.it +ra.it +ragusa.it +ravenna.it +rc.it +re.it +reggio-calabria.it +reggio-emilia.it +reggiocalabria.it +reggioemilia.it +rg.it +ri.it +rieti.it +rimini.it +rm.it +rn.it +ro.it +roma.it +rome.it +rovigo.it +sa.it +salerno.it +sassari.it +savona.it +si.it +siena.it +siracusa.it +so.it +sondrio.it +sp.it +sr.it +ss.it +suedtirol.it +sv.it +ta.it +taranto.it +te.it +tempio-olbia.it +tempioolbia.it +teramo.it +terni.it +tn.it +to.it +torino.it +tp.it +tr.it +trani-andria-barletta.it +trani-barletta-andria.it +traniandriabarletta.it +tranibarlettaandria.it +trapani.it +trentino.it +trento.it +treviso.it +trieste.it +ts.it +turin.it +tv.it +ud.it +udine.it +urbino-pesaro.it +urbinopesaro.it +va.it +varese.it +vb.it +vc.it +ve.it +venezia.it +venice.it +verbania.it +vercelli.it +verona.it +vi.it +vibo-valentia.it +vibovalentia.it +vicenza.it +viterbo.it +vr.it +vs.it +vt.it +vv.it + +// je : http://www.channelisles.net/register-domains/ +// Confirmed by registry 2013-11-28 +je +co.je +net.je +org.je + +// jm : http://www.com.jm/register.html +*.jm + +// jo : http://www.dns.jo/Registration_policy.aspx +jo +com.jo +org.jo +net.jo +edu.jo +sch.jo +gov.jo +mil.jo +name.jo + +// jobs : http://en.wikipedia.org/wiki/.jobs +jobs + +// jp : http://en.wikipedia.org/wiki/.jp +// http://jprs.co.jp/en/jpdomain.html +// Submitted by registry 2014-10-30 +jp +// jp organizational type names +ac.jp +ad.jp +co.jp +ed.jp +go.jp +gr.jp +lg.jp +ne.jp +or.jp +// jp prefecture type names +aichi.jp +akita.jp +aomori.jp +chiba.jp +ehime.jp +fukui.jp +fukuoka.jp +fukushima.jp +gifu.jp +gunma.jp +hiroshima.jp +hokkaido.jp +hyogo.jp +ibaraki.jp +ishikawa.jp +iwate.jp +kagawa.jp +kagoshima.jp +kanagawa.jp +kochi.jp +kumamoto.jp +kyoto.jp +mie.jp +miyagi.jp +miyazaki.jp +nagano.jp +nagasaki.jp +nara.jp +niigata.jp +oita.jp +okayama.jp +okinawa.jp +osaka.jp +saga.jp +saitama.jp +shiga.jp +shimane.jp +shizuoka.jp +tochigi.jp +tokushima.jp +tokyo.jp +tottori.jp +toyama.jp +wakayama.jp +yamagata.jp +yamaguchi.jp +yamanashi.jp +栃木.jp +愛知.jp +愛媛.jp +兵庫.jp +熊本.jp +茨城.jp +北海道.jp +千葉.jp +和歌山.jp +長崎.jp +長野.jp +新潟.jp +青森.jp +静岡.jp +東京.jp +石川.jp +埼玉.jp +三重.jp +京都.jp +佐賀.jp +大分.jp +大阪.jp +奈良.jp +宮城.jp +宮崎.jp +富山.jp +山口.jp +山形.jp +山梨.jp +岩手.jp +岐阜.jp +岡山.jp +島根.jp +広島.jp +徳島.jp +沖縄.jp +滋賀.jp +神奈川.jp +福井.jp +福岡.jp +福島.jp +秋田.jp +群馬.jp +香川.jp +高知.jp +鳥取.jp +鹿児島.jp +// jp geographic type names +// http://jprs.jp/doc/rule/saisoku-1.html +*.kawasaki.jp +*.kitakyushu.jp +*.kobe.jp +*.nagoya.jp +*.sapporo.jp +*.sendai.jp +*.yokohama.jp +!city.kawasaki.jp +!city.kitakyushu.jp +!city.kobe.jp +!city.nagoya.jp +!city.sapporo.jp +!city.sendai.jp +!city.yokohama.jp +// 4th level registration +aisai.aichi.jp +ama.aichi.jp +anjo.aichi.jp +asuke.aichi.jp +chiryu.aichi.jp +chita.aichi.jp +fuso.aichi.jp +gamagori.aichi.jp +handa.aichi.jp +hazu.aichi.jp +hekinan.aichi.jp +higashiura.aichi.jp +ichinomiya.aichi.jp +inazawa.aichi.jp +inuyama.aichi.jp +isshiki.aichi.jp +iwakura.aichi.jp +kanie.aichi.jp +kariya.aichi.jp +kasugai.aichi.jp +kira.aichi.jp +kiyosu.aichi.jp +komaki.aichi.jp +konan.aichi.jp +kota.aichi.jp +mihama.aichi.jp +miyoshi.aichi.jp +nishio.aichi.jp +nisshin.aichi.jp +obu.aichi.jp +oguchi.aichi.jp +oharu.aichi.jp +okazaki.aichi.jp +owariasahi.aichi.jp +seto.aichi.jp +shikatsu.aichi.jp +shinshiro.aichi.jp +shitara.aichi.jp +tahara.aichi.jp +takahama.aichi.jp +tobishima.aichi.jp +toei.aichi.jp +togo.aichi.jp +tokai.aichi.jp +tokoname.aichi.jp +toyoake.aichi.jp +toyohashi.aichi.jp +toyokawa.aichi.jp +toyone.aichi.jp +toyota.aichi.jp +tsushima.aichi.jp +yatomi.aichi.jp +akita.akita.jp +daisen.akita.jp +fujisato.akita.jp +gojome.akita.jp +hachirogata.akita.jp +happou.akita.jp +higashinaruse.akita.jp +honjo.akita.jp +honjyo.akita.jp +ikawa.akita.jp +kamikoani.akita.jp +kamioka.akita.jp +katagami.akita.jp +kazuno.akita.jp +kitaakita.akita.jp +kosaka.akita.jp +kyowa.akita.jp +misato.akita.jp +mitane.akita.jp +moriyoshi.akita.jp +nikaho.akita.jp +noshiro.akita.jp +odate.akita.jp +oga.akita.jp +ogata.akita.jp +semboku.akita.jp +yokote.akita.jp +yurihonjo.akita.jp +aomori.aomori.jp +gonohe.aomori.jp +hachinohe.aomori.jp +hashikami.aomori.jp +hiranai.aomori.jp +hirosaki.aomori.jp +itayanagi.aomori.jp +kuroishi.aomori.jp +misawa.aomori.jp +mutsu.aomori.jp +nakadomari.aomori.jp +noheji.aomori.jp +oirase.aomori.jp +owani.aomori.jp +rokunohe.aomori.jp +sannohe.aomori.jp +shichinohe.aomori.jp +shingo.aomori.jp +takko.aomori.jp +towada.aomori.jp +tsugaru.aomori.jp +tsuruta.aomori.jp +abiko.chiba.jp +asahi.chiba.jp +chonan.chiba.jp +chosei.chiba.jp +choshi.chiba.jp +chuo.chiba.jp +funabashi.chiba.jp +futtsu.chiba.jp +hanamigawa.chiba.jp +ichihara.chiba.jp +ichikawa.chiba.jp +ichinomiya.chiba.jp +inzai.chiba.jp +isumi.chiba.jp +kamagaya.chiba.jp +kamogawa.chiba.jp +kashiwa.chiba.jp +katori.chiba.jp +katsuura.chiba.jp +kimitsu.chiba.jp +kisarazu.chiba.jp +kozaki.chiba.jp +kujukuri.chiba.jp +kyonan.chiba.jp +matsudo.chiba.jp +midori.chiba.jp +mihama.chiba.jp +minamiboso.chiba.jp +mobara.chiba.jp +mutsuzawa.chiba.jp +nagara.chiba.jp +nagareyama.chiba.jp +narashino.chiba.jp +narita.chiba.jp +noda.chiba.jp +oamishirasato.chiba.jp +omigawa.chiba.jp +onjuku.chiba.jp +otaki.chiba.jp +sakae.chiba.jp +sakura.chiba.jp +shimofusa.chiba.jp +shirako.chiba.jp +shiroi.chiba.jp +shisui.chiba.jp +sodegaura.chiba.jp +sosa.chiba.jp +tako.chiba.jp +tateyama.chiba.jp +togane.chiba.jp +tohnosho.chiba.jp +tomisato.chiba.jp +urayasu.chiba.jp +yachimata.chiba.jp +yachiyo.chiba.jp +yokaichiba.chiba.jp +yokoshibahikari.chiba.jp +yotsukaido.chiba.jp +ainan.ehime.jp +honai.ehime.jp +ikata.ehime.jp +imabari.ehime.jp +iyo.ehime.jp +kamijima.ehime.jp +kihoku.ehime.jp +kumakogen.ehime.jp +masaki.ehime.jp +matsuno.ehime.jp +matsuyama.ehime.jp +namikata.ehime.jp +niihama.ehime.jp +ozu.ehime.jp +saijo.ehime.jp +seiyo.ehime.jp +shikokuchuo.ehime.jp +tobe.ehime.jp +toon.ehime.jp +uchiko.ehime.jp +uwajima.ehime.jp +yawatahama.ehime.jp +echizen.fukui.jp +eiheiji.fukui.jp +fukui.fukui.jp +ikeda.fukui.jp +katsuyama.fukui.jp +mihama.fukui.jp +minamiechizen.fukui.jp +obama.fukui.jp +ohi.fukui.jp +ono.fukui.jp +sabae.fukui.jp +sakai.fukui.jp +takahama.fukui.jp +tsuruga.fukui.jp +wakasa.fukui.jp +ashiya.fukuoka.jp +buzen.fukuoka.jp +chikugo.fukuoka.jp +chikuho.fukuoka.jp +chikujo.fukuoka.jp +chikushino.fukuoka.jp +chikuzen.fukuoka.jp +chuo.fukuoka.jp +dazaifu.fukuoka.jp +fukuchi.fukuoka.jp +hakata.fukuoka.jp +higashi.fukuoka.jp +hirokawa.fukuoka.jp +hisayama.fukuoka.jp +iizuka.fukuoka.jp +inatsuki.fukuoka.jp +kaho.fukuoka.jp +kasuga.fukuoka.jp +kasuya.fukuoka.jp +kawara.fukuoka.jp +keisen.fukuoka.jp +koga.fukuoka.jp +kurate.fukuoka.jp +kurogi.fukuoka.jp +kurume.fukuoka.jp +minami.fukuoka.jp +miyako.fukuoka.jp +miyama.fukuoka.jp +miyawaka.fukuoka.jp +mizumaki.fukuoka.jp +munakata.fukuoka.jp +nakagawa.fukuoka.jp +nakama.fukuoka.jp +nishi.fukuoka.jp +nogata.fukuoka.jp +ogori.fukuoka.jp +okagaki.fukuoka.jp +okawa.fukuoka.jp +oki.fukuoka.jp +omuta.fukuoka.jp +onga.fukuoka.jp +onojo.fukuoka.jp +oto.fukuoka.jp +saigawa.fukuoka.jp +sasaguri.fukuoka.jp +shingu.fukuoka.jp +shinyoshitomi.fukuoka.jp +shonai.fukuoka.jp +soeda.fukuoka.jp +sue.fukuoka.jp +tachiarai.fukuoka.jp +tagawa.fukuoka.jp +takata.fukuoka.jp +toho.fukuoka.jp +toyotsu.fukuoka.jp +tsuiki.fukuoka.jp +ukiha.fukuoka.jp +umi.fukuoka.jp +usui.fukuoka.jp +yamada.fukuoka.jp +yame.fukuoka.jp +yanagawa.fukuoka.jp +yukuhashi.fukuoka.jp +aizubange.fukushima.jp +aizumisato.fukushima.jp +aizuwakamatsu.fukushima.jp +asakawa.fukushima.jp +bandai.fukushima.jp +date.fukushima.jp +fukushima.fukushima.jp +furudono.fukushima.jp +futaba.fukushima.jp +hanawa.fukushima.jp +higashi.fukushima.jp +hirata.fukushima.jp +hirono.fukushima.jp +iitate.fukushima.jp +inawashiro.fukushima.jp +ishikawa.fukushima.jp +iwaki.fukushima.jp +izumizaki.fukushima.jp +kagamiishi.fukushima.jp +kaneyama.fukushima.jp +kawamata.fukushima.jp +kitakata.fukushima.jp +kitashiobara.fukushima.jp +koori.fukushima.jp +koriyama.fukushima.jp +kunimi.fukushima.jp +miharu.fukushima.jp +mishima.fukushima.jp +namie.fukushima.jp +nango.fukushima.jp +nishiaizu.fukushima.jp +nishigo.fukushima.jp +okuma.fukushima.jp +omotego.fukushima.jp +ono.fukushima.jp +otama.fukushima.jp +samegawa.fukushima.jp +shimogo.fukushima.jp +shirakawa.fukushima.jp +showa.fukushima.jp +soma.fukushima.jp +sukagawa.fukushima.jp +taishin.fukushima.jp +tamakawa.fukushima.jp +tanagura.fukushima.jp +tenei.fukushima.jp +yabuki.fukushima.jp +yamato.fukushima.jp +yamatsuri.fukushima.jp +yanaizu.fukushima.jp +yugawa.fukushima.jp +anpachi.gifu.jp +ena.gifu.jp +gifu.gifu.jp +ginan.gifu.jp +godo.gifu.jp +gujo.gifu.jp +hashima.gifu.jp +hichiso.gifu.jp +hida.gifu.jp +higashishirakawa.gifu.jp +ibigawa.gifu.jp +ikeda.gifu.jp +kakamigahara.gifu.jp +kani.gifu.jp +kasahara.gifu.jp +kasamatsu.gifu.jp +kawaue.gifu.jp +kitagata.gifu.jp +mino.gifu.jp +minokamo.gifu.jp +mitake.gifu.jp +mizunami.gifu.jp +motosu.gifu.jp +nakatsugawa.gifu.jp +ogaki.gifu.jp +sakahogi.gifu.jp +seki.gifu.jp +sekigahara.gifu.jp +shirakawa.gifu.jp +tajimi.gifu.jp +takayama.gifu.jp +tarui.gifu.jp +toki.gifu.jp +tomika.gifu.jp +wanouchi.gifu.jp +yamagata.gifu.jp +yaotsu.gifu.jp +yoro.gifu.jp +annaka.gunma.jp +chiyoda.gunma.jp +fujioka.gunma.jp +higashiagatsuma.gunma.jp +isesaki.gunma.jp +itakura.gunma.jp +kanna.gunma.jp +kanra.gunma.jp +katashina.gunma.jp +kawaba.gunma.jp +kiryu.gunma.jp +kusatsu.gunma.jp +maebashi.gunma.jp +meiwa.gunma.jp +midori.gunma.jp +minakami.gunma.jp +naganohara.gunma.jp +nakanojo.gunma.jp +nanmoku.gunma.jp +numata.gunma.jp +oizumi.gunma.jp +ora.gunma.jp +ota.gunma.jp +shibukawa.gunma.jp +shimonita.gunma.jp +shinto.gunma.jp +showa.gunma.jp +takasaki.gunma.jp +takayama.gunma.jp +tamamura.gunma.jp +tatebayashi.gunma.jp +tomioka.gunma.jp +tsukiyono.gunma.jp +tsumagoi.gunma.jp +ueno.gunma.jp +yoshioka.gunma.jp +asaminami.hiroshima.jp +daiwa.hiroshima.jp +etajima.hiroshima.jp +fuchu.hiroshima.jp +fukuyama.hiroshima.jp +hatsukaichi.hiroshima.jp +higashihiroshima.hiroshima.jp +hongo.hiroshima.jp +jinsekikogen.hiroshima.jp +kaita.hiroshima.jp +kui.hiroshima.jp +kumano.hiroshima.jp +kure.hiroshima.jp +mihara.hiroshima.jp +miyoshi.hiroshima.jp +naka.hiroshima.jp +onomichi.hiroshima.jp +osakikamijima.hiroshima.jp +otake.hiroshima.jp +saka.hiroshima.jp +sera.hiroshima.jp +seranishi.hiroshima.jp +shinichi.hiroshima.jp +shobara.hiroshima.jp +takehara.hiroshima.jp +abashiri.hokkaido.jp +abira.hokkaido.jp +aibetsu.hokkaido.jp +akabira.hokkaido.jp +akkeshi.hokkaido.jp +asahikawa.hokkaido.jp +ashibetsu.hokkaido.jp +ashoro.hokkaido.jp +assabu.hokkaido.jp +atsuma.hokkaido.jp +bibai.hokkaido.jp +biei.hokkaido.jp +bifuka.hokkaido.jp +bihoro.hokkaido.jp +biratori.hokkaido.jp +chippubetsu.hokkaido.jp +chitose.hokkaido.jp +date.hokkaido.jp +ebetsu.hokkaido.jp +embetsu.hokkaido.jp +eniwa.hokkaido.jp +erimo.hokkaido.jp +esan.hokkaido.jp +esashi.hokkaido.jp +fukagawa.hokkaido.jp +fukushima.hokkaido.jp +furano.hokkaido.jp +furubira.hokkaido.jp +haboro.hokkaido.jp +hakodate.hokkaido.jp +hamatonbetsu.hokkaido.jp +hidaka.hokkaido.jp +higashikagura.hokkaido.jp +higashikawa.hokkaido.jp +hiroo.hokkaido.jp +hokuryu.hokkaido.jp +hokuto.hokkaido.jp +honbetsu.hokkaido.jp +horokanai.hokkaido.jp +horonobe.hokkaido.jp +ikeda.hokkaido.jp +imakane.hokkaido.jp +ishikari.hokkaido.jp +iwamizawa.hokkaido.jp +iwanai.hokkaido.jp +kamifurano.hokkaido.jp +kamikawa.hokkaido.jp +kamishihoro.hokkaido.jp +kamisunagawa.hokkaido.jp +kamoenai.hokkaido.jp +kayabe.hokkaido.jp +kembuchi.hokkaido.jp +kikonai.hokkaido.jp +kimobetsu.hokkaido.jp +kitahiroshima.hokkaido.jp +kitami.hokkaido.jp +kiyosato.hokkaido.jp +koshimizu.hokkaido.jp +kunneppu.hokkaido.jp +kuriyama.hokkaido.jp +kuromatsunai.hokkaido.jp +kushiro.hokkaido.jp +kutchan.hokkaido.jp +kyowa.hokkaido.jp +mashike.hokkaido.jp +matsumae.hokkaido.jp +mikasa.hokkaido.jp +minamifurano.hokkaido.jp +mombetsu.hokkaido.jp +moseushi.hokkaido.jp +mukawa.hokkaido.jp +muroran.hokkaido.jp +naie.hokkaido.jp +nakagawa.hokkaido.jp +nakasatsunai.hokkaido.jp +nakatombetsu.hokkaido.jp +nanae.hokkaido.jp +nanporo.hokkaido.jp +nayoro.hokkaido.jp +nemuro.hokkaido.jp +niikappu.hokkaido.jp +niki.hokkaido.jp +nishiokoppe.hokkaido.jp +noboribetsu.hokkaido.jp +numata.hokkaido.jp +obihiro.hokkaido.jp +obira.hokkaido.jp +oketo.hokkaido.jp +okoppe.hokkaido.jp +otaru.hokkaido.jp +otobe.hokkaido.jp +otofuke.hokkaido.jp +otoineppu.hokkaido.jp +oumu.hokkaido.jp +ozora.hokkaido.jp +pippu.hokkaido.jp +rankoshi.hokkaido.jp +rebun.hokkaido.jp +rikubetsu.hokkaido.jp +rishiri.hokkaido.jp +rishirifuji.hokkaido.jp +saroma.hokkaido.jp +sarufutsu.hokkaido.jp +shakotan.hokkaido.jp +shari.hokkaido.jp +shibecha.hokkaido.jp +shibetsu.hokkaido.jp +shikabe.hokkaido.jp +shikaoi.hokkaido.jp +shimamaki.hokkaido.jp +shimizu.hokkaido.jp +shimokawa.hokkaido.jp +shinshinotsu.hokkaido.jp +shintoku.hokkaido.jp +shiranuka.hokkaido.jp +shiraoi.hokkaido.jp +shiriuchi.hokkaido.jp +sobetsu.hokkaido.jp +sunagawa.hokkaido.jp +taiki.hokkaido.jp +takasu.hokkaido.jp +takikawa.hokkaido.jp +takinoue.hokkaido.jp +teshikaga.hokkaido.jp +tobetsu.hokkaido.jp +tohma.hokkaido.jp +tomakomai.hokkaido.jp +tomari.hokkaido.jp +toya.hokkaido.jp +toyako.hokkaido.jp +toyotomi.hokkaido.jp +toyoura.hokkaido.jp +tsubetsu.hokkaido.jp +tsukigata.hokkaido.jp +urakawa.hokkaido.jp +urausu.hokkaido.jp +uryu.hokkaido.jp +utashinai.hokkaido.jp +wakkanai.hokkaido.jp +wassamu.hokkaido.jp +yakumo.hokkaido.jp +yoichi.hokkaido.jp +aioi.hyogo.jp +akashi.hyogo.jp +ako.hyogo.jp +amagasaki.hyogo.jp +aogaki.hyogo.jp +asago.hyogo.jp +ashiya.hyogo.jp +awaji.hyogo.jp +fukusaki.hyogo.jp +goshiki.hyogo.jp +harima.hyogo.jp +himeji.hyogo.jp +ichikawa.hyogo.jp +inagawa.hyogo.jp +itami.hyogo.jp +kakogawa.hyogo.jp +kamigori.hyogo.jp +kamikawa.hyogo.jp +kasai.hyogo.jp +kasuga.hyogo.jp +kawanishi.hyogo.jp +miki.hyogo.jp +minamiawaji.hyogo.jp +nishinomiya.hyogo.jp +nishiwaki.hyogo.jp +ono.hyogo.jp +sanda.hyogo.jp +sannan.hyogo.jp +sasayama.hyogo.jp +sayo.hyogo.jp +shingu.hyogo.jp +shinonsen.hyogo.jp +shiso.hyogo.jp +sumoto.hyogo.jp +taishi.hyogo.jp +taka.hyogo.jp +takarazuka.hyogo.jp +takasago.hyogo.jp +takino.hyogo.jp +tamba.hyogo.jp +tatsuno.hyogo.jp +toyooka.hyogo.jp +yabu.hyogo.jp +yashiro.hyogo.jp +yoka.hyogo.jp +yokawa.hyogo.jp +ami.ibaraki.jp +asahi.ibaraki.jp +bando.ibaraki.jp +chikusei.ibaraki.jp +daigo.ibaraki.jp +fujishiro.ibaraki.jp +hitachi.ibaraki.jp +hitachinaka.ibaraki.jp +hitachiomiya.ibaraki.jp +hitachiota.ibaraki.jp +ibaraki.ibaraki.jp +ina.ibaraki.jp +inashiki.ibaraki.jp +itako.ibaraki.jp +iwama.ibaraki.jp +joso.ibaraki.jp +kamisu.ibaraki.jp +kasama.ibaraki.jp +kashima.ibaraki.jp +kasumigaura.ibaraki.jp +koga.ibaraki.jp +miho.ibaraki.jp +mito.ibaraki.jp +moriya.ibaraki.jp +naka.ibaraki.jp +namegata.ibaraki.jp +oarai.ibaraki.jp +ogawa.ibaraki.jp +omitama.ibaraki.jp +ryugasaki.ibaraki.jp +sakai.ibaraki.jp +sakuragawa.ibaraki.jp +shimodate.ibaraki.jp +shimotsuma.ibaraki.jp +shirosato.ibaraki.jp +sowa.ibaraki.jp +suifu.ibaraki.jp +takahagi.ibaraki.jp +tamatsukuri.ibaraki.jp +tokai.ibaraki.jp +tomobe.ibaraki.jp +tone.ibaraki.jp +toride.ibaraki.jp +tsuchiura.ibaraki.jp +tsukuba.ibaraki.jp +uchihara.ibaraki.jp +ushiku.ibaraki.jp +yachiyo.ibaraki.jp +yamagata.ibaraki.jp +yawara.ibaraki.jp +yuki.ibaraki.jp +anamizu.ishikawa.jp +hakui.ishikawa.jp +hakusan.ishikawa.jp +kaga.ishikawa.jp +kahoku.ishikawa.jp +kanazawa.ishikawa.jp +kawakita.ishikawa.jp +komatsu.ishikawa.jp +nakanoto.ishikawa.jp +nanao.ishikawa.jp +nomi.ishikawa.jp +nonoichi.ishikawa.jp +noto.ishikawa.jp +shika.ishikawa.jp +suzu.ishikawa.jp +tsubata.ishikawa.jp +tsurugi.ishikawa.jp +uchinada.ishikawa.jp +wajima.ishikawa.jp +fudai.iwate.jp +fujisawa.iwate.jp +hanamaki.iwate.jp +hiraizumi.iwate.jp +hirono.iwate.jp +ichinohe.iwate.jp +ichinoseki.iwate.jp +iwaizumi.iwate.jp +iwate.iwate.jp +joboji.iwate.jp +kamaishi.iwate.jp +kanegasaki.iwate.jp +karumai.iwate.jp +kawai.iwate.jp +kitakami.iwate.jp +kuji.iwate.jp +kunohe.iwate.jp +kuzumaki.iwate.jp +miyako.iwate.jp +mizusawa.iwate.jp +morioka.iwate.jp +ninohe.iwate.jp +noda.iwate.jp +ofunato.iwate.jp +oshu.iwate.jp +otsuchi.iwate.jp +rikuzentakata.iwate.jp +shiwa.iwate.jp +shizukuishi.iwate.jp +sumita.iwate.jp +tanohata.iwate.jp +tono.iwate.jp +yahaba.iwate.jp +yamada.iwate.jp +ayagawa.kagawa.jp +higashikagawa.kagawa.jp +kanonji.kagawa.jp +kotohira.kagawa.jp +manno.kagawa.jp +marugame.kagawa.jp +mitoyo.kagawa.jp +naoshima.kagawa.jp +sanuki.kagawa.jp +tadotsu.kagawa.jp +takamatsu.kagawa.jp +tonosho.kagawa.jp +uchinomi.kagawa.jp +utazu.kagawa.jp +zentsuji.kagawa.jp +akune.kagoshima.jp +amami.kagoshima.jp +hioki.kagoshima.jp +isa.kagoshima.jp +isen.kagoshima.jp +izumi.kagoshima.jp +kagoshima.kagoshima.jp +kanoya.kagoshima.jp +kawanabe.kagoshima.jp +kinko.kagoshima.jp +kouyama.kagoshima.jp +makurazaki.kagoshima.jp +matsumoto.kagoshima.jp +minamitane.kagoshima.jp +nakatane.kagoshima.jp +nishinoomote.kagoshima.jp +satsumasendai.kagoshima.jp +soo.kagoshima.jp +tarumizu.kagoshima.jp +yusui.kagoshima.jp +aikawa.kanagawa.jp +atsugi.kanagawa.jp +ayase.kanagawa.jp +chigasaki.kanagawa.jp +ebina.kanagawa.jp +fujisawa.kanagawa.jp +hadano.kanagawa.jp +hakone.kanagawa.jp +hiratsuka.kanagawa.jp +isehara.kanagawa.jp +kaisei.kanagawa.jp +kamakura.kanagawa.jp +kiyokawa.kanagawa.jp +matsuda.kanagawa.jp +minamiashigara.kanagawa.jp +miura.kanagawa.jp +nakai.kanagawa.jp +ninomiya.kanagawa.jp +odawara.kanagawa.jp +oi.kanagawa.jp +oiso.kanagawa.jp +sagamihara.kanagawa.jp +samukawa.kanagawa.jp +tsukui.kanagawa.jp +yamakita.kanagawa.jp +yamato.kanagawa.jp +yokosuka.kanagawa.jp +yugawara.kanagawa.jp +zama.kanagawa.jp +zushi.kanagawa.jp +aki.kochi.jp +geisei.kochi.jp +hidaka.kochi.jp +higashitsuno.kochi.jp +ino.kochi.jp +kagami.kochi.jp +kami.kochi.jp +kitagawa.kochi.jp +kochi.kochi.jp +mihara.kochi.jp +motoyama.kochi.jp +muroto.kochi.jp +nahari.kochi.jp +nakamura.kochi.jp +nankoku.kochi.jp +nishitosa.kochi.jp +niyodogawa.kochi.jp +ochi.kochi.jp +okawa.kochi.jp +otoyo.kochi.jp +otsuki.kochi.jp +sakawa.kochi.jp +sukumo.kochi.jp +susaki.kochi.jp +tosa.kochi.jp +tosashimizu.kochi.jp +toyo.kochi.jp +tsuno.kochi.jp +umaji.kochi.jp +yasuda.kochi.jp +yusuhara.kochi.jp +amakusa.kumamoto.jp +arao.kumamoto.jp +aso.kumamoto.jp +choyo.kumamoto.jp +gyokuto.kumamoto.jp +hitoyoshi.kumamoto.jp +kamiamakusa.kumamoto.jp +kashima.kumamoto.jp +kikuchi.kumamoto.jp +kosa.kumamoto.jp +kumamoto.kumamoto.jp +mashiki.kumamoto.jp +mifune.kumamoto.jp +minamata.kumamoto.jp +minamioguni.kumamoto.jp +nagasu.kumamoto.jp +nishihara.kumamoto.jp +oguni.kumamoto.jp +ozu.kumamoto.jp +sumoto.kumamoto.jp +takamori.kumamoto.jp +uki.kumamoto.jp +uto.kumamoto.jp +yamaga.kumamoto.jp +yamato.kumamoto.jp +yatsushiro.kumamoto.jp +ayabe.kyoto.jp +fukuchiyama.kyoto.jp +higashiyama.kyoto.jp +ide.kyoto.jp +ine.kyoto.jp +joyo.kyoto.jp +kameoka.kyoto.jp +kamo.kyoto.jp +kita.kyoto.jp +kizu.kyoto.jp +kumiyama.kyoto.jp +kyotamba.kyoto.jp +kyotanabe.kyoto.jp +kyotango.kyoto.jp +maizuru.kyoto.jp +minami.kyoto.jp +minamiyamashiro.kyoto.jp +miyazu.kyoto.jp +muko.kyoto.jp +nagaokakyo.kyoto.jp +nakagyo.kyoto.jp +nantan.kyoto.jp +oyamazaki.kyoto.jp +sakyo.kyoto.jp +seika.kyoto.jp +tanabe.kyoto.jp +uji.kyoto.jp +ujitawara.kyoto.jp +wazuka.kyoto.jp +yamashina.kyoto.jp +yawata.kyoto.jp +asahi.mie.jp +inabe.mie.jp +ise.mie.jp +kameyama.mie.jp +kawagoe.mie.jp +kiho.mie.jp +kisosaki.mie.jp +kiwa.mie.jp +komono.mie.jp +kumano.mie.jp +kuwana.mie.jp +matsusaka.mie.jp +meiwa.mie.jp +mihama.mie.jp +minamiise.mie.jp +misugi.mie.jp +miyama.mie.jp +nabari.mie.jp +shima.mie.jp +suzuka.mie.jp +tado.mie.jp +taiki.mie.jp +taki.mie.jp +tamaki.mie.jp +toba.mie.jp +tsu.mie.jp +udono.mie.jp +ureshino.mie.jp +watarai.mie.jp +yokkaichi.mie.jp +furukawa.miyagi.jp +higashimatsushima.miyagi.jp +ishinomaki.miyagi.jp +iwanuma.miyagi.jp +kakuda.miyagi.jp +kami.miyagi.jp +kawasaki.miyagi.jp +kesennuma.miyagi.jp +marumori.miyagi.jp +matsushima.miyagi.jp +minamisanriku.miyagi.jp +misato.miyagi.jp +murata.miyagi.jp +natori.miyagi.jp +ogawara.miyagi.jp +ohira.miyagi.jp +onagawa.miyagi.jp +osaki.miyagi.jp +rifu.miyagi.jp +semine.miyagi.jp +shibata.miyagi.jp +shichikashuku.miyagi.jp +shikama.miyagi.jp +shiogama.miyagi.jp +shiroishi.miyagi.jp +tagajo.miyagi.jp +taiwa.miyagi.jp +tome.miyagi.jp +tomiya.miyagi.jp +wakuya.miyagi.jp +watari.miyagi.jp +yamamoto.miyagi.jp +zao.miyagi.jp +aya.miyazaki.jp +ebino.miyazaki.jp +gokase.miyazaki.jp +hyuga.miyazaki.jp +kadogawa.miyazaki.jp +kawaminami.miyazaki.jp +kijo.miyazaki.jp +kitagawa.miyazaki.jp +kitakata.miyazaki.jp +kitaura.miyazaki.jp +kobayashi.miyazaki.jp +kunitomi.miyazaki.jp +kushima.miyazaki.jp +mimata.miyazaki.jp +miyakonojo.miyazaki.jp +miyazaki.miyazaki.jp +morotsuka.miyazaki.jp +nichinan.miyazaki.jp +nishimera.miyazaki.jp +nobeoka.miyazaki.jp +saito.miyazaki.jp +shiiba.miyazaki.jp +shintomi.miyazaki.jp +takaharu.miyazaki.jp +takanabe.miyazaki.jp +takazaki.miyazaki.jp +tsuno.miyazaki.jp +achi.nagano.jp +agematsu.nagano.jp +anan.nagano.jp +aoki.nagano.jp +asahi.nagano.jp +azumino.nagano.jp +chikuhoku.nagano.jp +chikuma.nagano.jp +chino.nagano.jp +fujimi.nagano.jp +hakuba.nagano.jp +hara.nagano.jp +hiraya.nagano.jp +iida.nagano.jp +iijima.nagano.jp +iiyama.nagano.jp +iizuna.nagano.jp +ikeda.nagano.jp +ikusaka.nagano.jp +ina.nagano.jp +karuizawa.nagano.jp +kawakami.nagano.jp +kiso.nagano.jp +kisofukushima.nagano.jp +kitaaiki.nagano.jp +komagane.nagano.jp +komoro.nagano.jp +matsukawa.nagano.jp +matsumoto.nagano.jp +miasa.nagano.jp +minamiaiki.nagano.jp +minamimaki.nagano.jp +minamiminowa.nagano.jp +minowa.nagano.jp +miyada.nagano.jp +miyota.nagano.jp +mochizuki.nagano.jp +nagano.nagano.jp +nagawa.nagano.jp +nagiso.nagano.jp +nakagawa.nagano.jp +nakano.nagano.jp +nozawaonsen.nagano.jp +obuse.nagano.jp +ogawa.nagano.jp +okaya.nagano.jp +omachi.nagano.jp +omi.nagano.jp +ookuwa.nagano.jp +ooshika.nagano.jp +otaki.nagano.jp +otari.nagano.jp +sakae.nagano.jp +sakaki.nagano.jp +saku.nagano.jp +sakuho.nagano.jp +shimosuwa.nagano.jp +shinanomachi.nagano.jp +shiojiri.nagano.jp +suwa.nagano.jp +suzaka.nagano.jp +takagi.nagano.jp +takamori.nagano.jp +takayama.nagano.jp +tateshina.nagano.jp +tatsuno.nagano.jp +togakushi.nagano.jp +togura.nagano.jp +tomi.nagano.jp +ueda.nagano.jp +wada.nagano.jp +yamagata.nagano.jp +yamanouchi.nagano.jp +yasaka.nagano.jp +yasuoka.nagano.jp +chijiwa.nagasaki.jp +futsu.nagasaki.jp +goto.nagasaki.jp +hasami.nagasaki.jp +hirado.nagasaki.jp +iki.nagasaki.jp +isahaya.nagasaki.jp +kawatana.nagasaki.jp +kuchinotsu.nagasaki.jp +matsuura.nagasaki.jp +nagasaki.nagasaki.jp +obama.nagasaki.jp +omura.nagasaki.jp +oseto.nagasaki.jp +saikai.nagasaki.jp +sasebo.nagasaki.jp +seihi.nagasaki.jp +shimabara.nagasaki.jp +shinkamigoto.nagasaki.jp +togitsu.nagasaki.jp +tsushima.nagasaki.jp +unzen.nagasaki.jp +ando.nara.jp +gose.nara.jp +heguri.nara.jp +higashiyoshino.nara.jp +ikaruga.nara.jp +ikoma.nara.jp +kamikitayama.nara.jp +kanmaki.nara.jp +kashiba.nara.jp +kashihara.nara.jp +katsuragi.nara.jp +kawai.nara.jp +kawakami.nara.jp +kawanishi.nara.jp +koryo.nara.jp +kurotaki.nara.jp +mitsue.nara.jp +miyake.nara.jp +nara.nara.jp +nosegawa.nara.jp +oji.nara.jp +ouda.nara.jp +oyodo.nara.jp +sakurai.nara.jp +sango.nara.jp +shimoichi.nara.jp +shimokitayama.nara.jp +shinjo.nara.jp +soni.nara.jp +takatori.nara.jp +tawaramoto.nara.jp +tenkawa.nara.jp +tenri.nara.jp +uda.nara.jp +yamatokoriyama.nara.jp +yamatotakada.nara.jp +yamazoe.nara.jp +yoshino.nara.jp +aga.niigata.jp +agano.niigata.jp +gosen.niigata.jp +itoigawa.niigata.jp +izumozaki.niigata.jp +joetsu.niigata.jp +kamo.niigata.jp +kariwa.niigata.jp +kashiwazaki.niigata.jp +minamiuonuma.niigata.jp +mitsuke.niigata.jp +muika.niigata.jp +murakami.niigata.jp +myoko.niigata.jp +nagaoka.niigata.jp +niigata.niigata.jp +ojiya.niigata.jp +omi.niigata.jp +sado.niigata.jp +sanjo.niigata.jp +seiro.niigata.jp +seirou.niigata.jp +sekikawa.niigata.jp +shibata.niigata.jp +tagami.niigata.jp +tainai.niigata.jp +tochio.niigata.jp +tokamachi.niigata.jp +tsubame.niigata.jp +tsunan.niigata.jp +uonuma.niigata.jp +yahiko.niigata.jp +yoita.niigata.jp +yuzawa.niigata.jp +beppu.oita.jp +bungoono.oita.jp +bungotakada.oita.jp +hasama.oita.jp +hiji.oita.jp +himeshima.oita.jp +hita.oita.jp +kamitsue.oita.jp +kokonoe.oita.jp +kuju.oita.jp +kunisaki.oita.jp +kusu.oita.jp +oita.oita.jp +saiki.oita.jp +taketa.oita.jp +tsukumi.oita.jp +usa.oita.jp +usuki.oita.jp +yufu.oita.jp +akaiwa.okayama.jp +asakuchi.okayama.jp +bizen.okayama.jp +hayashima.okayama.jp +ibara.okayama.jp +kagamino.okayama.jp +kasaoka.okayama.jp +kibichuo.okayama.jp +kumenan.okayama.jp +kurashiki.okayama.jp +maniwa.okayama.jp +misaki.okayama.jp +nagi.okayama.jp +niimi.okayama.jp +nishiawakura.okayama.jp +okayama.okayama.jp +satosho.okayama.jp +setouchi.okayama.jp +shinjo.okayama.jp +shoo.okayama.jp +soja.okayama.jp +takahashi.okayama.jp +tamano.okayama.jp +tsuyama.okayama.jp +wake.okayama.jp +yakage.okayama.jp +aguni.okinawa.jp +ginowan.okinawa.jp +ginoza.okinawa.jp +gushikami.okinawa.jp +haebaru.okinawa.jp +higashi.okinawa.jp +hirara.okinawa.jp +iheya.okinawa.jp +ishigaki.okinawa.jp +ishikawa.okinawa.jp +itoman.okinawa.jp +izena.okinawa.jp +kadena.okinawa.jp +kin.okinawa.jp +kitadaito.okinawa.jp +kitanakagusuku.okinawa.jp +kumejima.okinawa.jp +kunigami.okinawa.jp +minamidaito.okinawa.jp +motobu.okinawa.jp +nago.okinawa.jp +naha.okinawa.jp +nakagusuku.okinawa.jp +nakijin.okinawa.jp +nanjo.okinawa.jp +nishihara.okinawa.jp +ogimi.okinawa.jp +okinawa.okinawa.jp +onna.okinawa.jp +shimoji.okinawa.jp +taketomi.okinawa.jp +tarama.okinawa.jp +tokashiki.okinawa.jp +tomigusuku.okinawa.jp +tonaki.okinawa.jp +urasoe.okinawa.jp +uruma.okinawa.jp +yaese.okinawa.jp +yomitan.okinawa.jp +yonabaru.okinawa.jp +yonaguni.okinawa.jp +zamami.okinawa.jp +abeno.osaka.jp +chihayaakasaka.osaka.jp +chuo.osaka.jp +daito.osaka.jp +fujiidera.osaka.jp +habikino.osaka.jp +hannan.osaka.jp +higashiosaka.osaka.jp +higashisumiyoshi.osaka.jp +higashiyodogawa.osaka.jp +hirakata.osaka.jp +ibaraki.osaka.jp +ikeda.osaka.jp +izumi.osaka.jp +izumiotsu.osaka.jp +izumisano.osaka.jp +kadoma.osaka.jp +kaizuka.osaka.jp +kanan.osaka.jp +kashiwara.osaka.jp +katano.osaka.jp +kawachinagano.osaka.jp +kishiwada.osaka.jp +kita.osaka.jp +kumatori.osaka.jp +matsubara.osaka.jp +minato.osaka.jp +minoh.osaka.jp +misaki.osaka.jp +moriguchi.osaka.jp +neyagawa.osaka.jp +nishi.osaka.jp +nose.osaka.jp +osakasayama.osaka.jp +sakai.osaka.jp +sayama.osaka.jp +sennan.osaka.jp +settsu.osaka.jp +shijonawate.osaka.jp +shimamoto.osaka.jp +suita.osaka.jp +tadaoka.osaka.jp +taishi.osaka.jp +tajiri.osaka.jp +takaishi.osaka.jp +takatsuki.osaka.jp +tondabayashi.osaka.jp +toyonaka.osaka.jp +toyono.osaka.jp +yao.osaka.jp +ariake.saga.jp +arita.saga.jp +fukudomi.saga.jp +genkai.saga.jp +hamatama.saga.jp +hizen.saga.jp +imari.saga.jp +kamimine.saga.jp +kanzaki.saga.jp +karatsu.saga.jp +kashima.saga.jp +kitagata.saga.jp +kitahata.saga.jp +kiyama.saga.jp +kouhoku.saga.jp +kyuragi.saga.jp +nishiarita.saga.jp +ogi.saga.jp +omachi.saga.jp +ouchi.saga.jp +saga.saga.jp +shiroishi.saga.jp +taku.saga.jp +tara.saga.jp +tosu.saga.jp +yoshinogari.saga.jp +arakawa.saitama.jp +asaka.saitama.jp +chichibu.saitama.jp +fujimi.saitama.jp +fujimino.saitama.jp +fukaya.saitama.jp +hanno.saitama.jp +hanyu.saitama.jp +hasuda.saitama.jp +hatogaya.saitama.jp +hatoyama.saitama.jp +hidaka.saitama.jp +higashichichibu.saitama.jp +higashimatsuyama.saitama.jp +honjo.saitama.jp +ina.saitama.jp +iruma.saitama.jp +iwatsuki.saitama.jp +kamiizumi.saitama.jp +kamikawa.saitama.jp +kamisato.saitama.jp +kasukabe.saitama.jp +kawagoe.saitama.jp +kawaguchi.saitama.jp +kawajima.saitama.jp +kazo.saitama.jp +kitamoto.saitama.jp +koshigaya.saitama.jp +kounosu.saitama.jp +kuki.saitama.jp +kumagaya.saitama.jp +matsubushi.saitama.jp +minano.saitama.jp +misato.saitama.jp +miyashiro.saitama.jp +miyoshi.saitama.jp +moroyama.saitama.jp +nagatoro.saitama.jp +namegawa.saitama.jp +niiza.saitama.jp +ogano.saitama.jp +ogawa.saitama.jp +ogose.saitama.jp +okegawa.saitama.jp +omiya.saitama.jp +otaki.saitama.jp +ranzan.saitama.jp +ryokami.saitama.jp +saitama.saitama.jp +sakado.saitama.jp +satte.saitama.jp +sayama.saitama.jp +shiki.saitama.jp +shiraoka.saitama.jp +soka.saitama.jp +sugito.saitama.jp +toda.saitama.jp +tokigawa.saitama.jp +tokorozawa.saitama.jp +tsurugashima.saitama.jp +urawa.saitama.jp +warabi.saitama.jp +yashio.saitama.jp +yokoze.saitama.jp +yono.saitama.jp +yorii.saitama.jp +yoshida.saitama.jp +yoshikawa.saitama.jp +yoshimi.saitama.jp +aisho.shiga.jp +gamo.shiga.jp +higashiomi.shiga.jp +hikone.shiga.jp +koka.shiga.jp +konan.shiga.jp +kosei.shiga.jp +koto.shiga.jp +kusatsu.shiga.jp +maibara.shiga.jp +moriyama.shiga.jp +nagahama.shiga.jp +nishiazai.shiga.jp +notogawa.shiga.jp +omihachiman.shiga.jp +otsu.shiga.jp +ritto.shiga.jp +ryuoh.shiga.jp +takashima.shiga.jp +takatsuki.shiga.jp +torahime.shiga.jp +toyosato.shiga.jp +yasu.shiga.jp +akagi.shimane.jp +ama.shimane.jp +gotsu.shimane.jp +hamada.shimane.jp +higashiizumo.shimane.jp +hikawa.shimane.jp +hikimi.shimane.jp +izumo.shimane.jp +kakinoki.shimane.jp +masuda.shimane.jp +matsue.shimane.jp +misato.shimane.jp +nishinoshima.shimane.jp +ohda.shimane.jp +okinoshima.shimane.jp +okuizumo.shimane.jp +shimane.shimane.jp +tamayu.shimane.jp +tsuwano.shimane.jp +unnan.shimane.jp +yakumo.shimane.jp +yasugi.shimane.jp +yatsuka.shimane.jp +arai.shizuoka.jp +atami.shizuoka.jp +fuji.shizuoka.jp +fujieda.shizuoka.jp +fujikawa.shizuoka.jp +fujinomiya.shizuoka.jp +fukuroi.shizuoka.jp +gotemba.shizuoka.jp +haibara.shizuoka.jp +hamamatsu.shizuoka.jp +higashiizu.shizuoka.jp +ito.shizuoka.jp +iwata.shizuoka.jp +izu.shizuoka.jp +izunokuni.shizuoka.jp +kakegawa.shizuoka.jp +kannami.shizuoka.jp +kawanehon.shizuoka.jp +kawazu.shizuoka.jp +kikugawa.shizuoka.jp +kosai.shizuoka.jp +makinohara.shizuoka.jp +matsuzaki.shizuoka.jp +minamiizu.shizuoka.jp +mishima.shizuoka.jp +morimachi.shizuoka.jp +nishiizu.shizuoka.jp +numazu.shizuoka.jp +omaezaki.shizuoka.jp +shimada.shizuoka.jp +shimizu.shizuoka.jp +shimoda.shizuoka.jp +shizuoka.shizuoka.jp +susono.shizuoka.jp +yaizu.shizuoka.jp +yoshida.shizuoka.jp +ashikaga.tochigi.jp +bato.tochigi.jp +haga.tochigi.jp +ichikai.tochigi.jp +iwafune.tochigi.jp +kaminokawa.tochigi.jp +kanuma.tochigi.jp +karasuyama.tochigi.jp +kuroiso.tochigi.jp +mashiko.tochigi.jp +mibu.tochigi.jp +moka.tochigi.jp +motegi.tochigi.jp +nasu.tochigi.jp +nasushiobara.tochigi.jp +nikko.tochigi.jp +nishikata.tochigi.jp +nogi.tochigi.jp +ohira.tochigi.jp +ohtawara.tochigi.jp +oyama.tochigi.jp +sakura.tochigi.jp +sano.tochigi.jp +shimotsuke.tochigi.jp +shioya.tochigi.jp +takanezawa.tochigi.jp +tochigi.tochigi.jp +tsuga.tochigi.jp +ujiie.tochigi.jp +utsunomiya.tochigi.jp +yaita.tochigi.jp +aizumi.tokushima.jp +anan.tokushima.jp +ichiba.tokushima.jp +itano.tokushima.jp +kainan.tokushima.jp +komatsushima.tokushima.jp +matsushige.tokushima.jp +mima.tokushima.jp +minami.tokushima.jp +miyoshi.tokushima.jp +mugi.tokushima.jp +nakagawa.tokushima.jp +naruto.tokushima.jp +sanagochi.tokushima.jp +shishikui.tokushima.jp +tokushima.tokushima.jp +wajiki.tokushima.jp +adachi.tokyo.jp +akiruno.tokyo.jp +akishima.tokyo.jp +aogashima.tokyo.jp +arakawa.tokyo.jp +bunkyo.tokyo.jp +chiyoda.tokyo.jp +chofu.tokyo.jp +chuo.tokyo.jp +edogawa.tokyo.jp +fuchu.tokyo.jp +fussa.tokyo.jp +hachijo.tokyo.jp +hachioji.tokyo.jp +hamura.tokyo.jp +higashikurume.tokyo.jp +higashimurayama.tokyo.jp +higashiyamato.tokyo.jp +hino.tokyo.jp +hinode.tokyo.jp +hinohara.tokyo.jp +inagi.tokyo.jp +itabashi.tokyo.jp +katsushika.tokyo.jp +kita.tokyo.jp +kiyose.tokyo.jp +kodaira.tokyo.jp +koganei.tokyo.jp +kokubunji.tokyo.jp +komae.tokyo.jp +koto.tokyo.jp +kouzushima.tokyo.jp +kunitachi.tokyo.jp +machida.tokyo.jp +meguro.tokyo.jp +minato.tokyo.jp +mitaka.tokyo.jp +mizuho.tokyo.jp +musashimurayama.tokyo.jp +musashino.tokyo.jp +nakano.tokyo.jp +nerima.tokyo.jp +ogasawara.tokyo.jp +okutama.tokyo.jp +ome.tokyo.jp +oshima.tokyo.jp +ota.tokyo.jp +setagaya.tokyo.jp +shibuya.tokyo.jp +shinagawa.tokyo.jp +shinjuku.tokyo.jp +suginami.tokyo.jp +sumida.tokyo.jp +tachikawa.tokyo.jp +taito.tokyo.jp +tama.tokyo.jp +toshima.tokyo.jp +chizu.tottori.jp +hino.tottori.jp +kawahara.tottori.jp +koge.tottori.jp +kotoura.tottori.jp +misasa.tottori.jp +nanbu.tottori.jp +nichinan.tottori.jp +sakaiminato.tottori.jp +tottori.tottori.jp +wakasa.tottori.jp +yazu.tottori.jp +yonago.tottori.jp +asahi.toyama.jp +fuchu.toyama.jp +fukumitsu.toyama.jp +funahashi.toyama.jp +himi.toyama.jp +imizu.toyama.jp +inami.toyama.jp +johana.toyama.jp +kamiichi.toyama.jp +kurobe.toyama.jp +nakaniikawa.toyama.jp +namerikawa.toyama.jp +nanto.toyama.jp +nyuzen.toyama.jp +oyabe.toyama.jp +taira.toyama.jp +takaoka.toyama.jp +tateyama.toyama.jp +toga.toyama.jp +tonami.toyama.jp +toyama.toyama.jp +unazuki.toyama.jp +uozu.toyama.jp +yamada.toyama.jp +arida.wakayama.jp +aridagawa.wakayama.jp +gobo.wakayama.jp +hashimoto.wakayama.jp +hidaka.wakayama.jp +hirogawa.wakayama.jp +inami.wakayama.jp +iwade.wakayama.jp +kainan.wakayama.jp +kamitonda.wakayama.jp +katsuragi.wakayama.jp +kimino.wakayama.jp +kinokawa.wakayama.jp +kitayama.wakayama.jp +koya.wakayama.jp +koza.wakayama.jp +kozagawa.wakayama.jp +kudoyama.wakayama.jp +kushimoto.wakayama.jp +mihama.wakayama.jp +misato.wakayama.jp +nachikatsuura.wakayama.jp +shingu.wakayama.jp +shirahama.wakayama.jp +taiji.wakayama.jp +tanabe.wakayama.jp +wakayama.wakayama.jp +yuasa.wakayama.jp +yura.wakayama.jp +asahi.yamagata.jp +funagata.yamagata.jp +higashine.yamagata.jp +iide.yamagata.jp +kahoku.yamagata.jp +kaminoyama.yamagata.jp +kaneyama.yamagata.jp +kawanishi.yamagata.jp +mamurogawa.yamagata.jp +mikawa.yamagata.jp +murayama.yamagata.jp +nagai.yamagata.jp +nakayama.yamagata.jp +nanyo.yamagata.jp +nishikawa.yamagata.jp +obanazawa.yamagata.jp +oe.yamagata.jp +oguni.yamagata.jp +ohkura.yamagata.jp +oishida.yamagata.jp +sagae.yamagata.jp +sakata.yamagata.jp +sakegawa.yamagata.jp +shinjo.yamagata.jp +shirataka.yamagata.jp +shonai.yamagata.jp +takahata.yamagata.jp +tendo.yamagata.jp +tozawa.yamagata.jp +tsuruoka.yamagata.jp +yamagata.yamagata.jp +yamanobe.yamagata.jp +yonezawa.yamagata.jp +yuza.yamagata.jp +abu.yamaguchi.jp +hagi.yamaguchi.jp +hikari.yamaguchi.jp +hofu.yamaguchi.jp +iwakuni.yamaguchi.jp +kudamatsu.yamaguchi.jp +mitou.yamaguchi.jp +nagato.yamaguchi.jp +oshima.yamaguchi.jp +shimonoseki.yamaguchi.jp +shunan.yamaguchi.jp +tabuse.yamaguchi.jp +tokuyama.yamaguchi.jp +toyota.yamaguchi.jp +ube.yamaguchi.jp +yuu.yamaguchi.jp +chuo.yamanashi.jp +doshi.yamanashi.jp +fuefuki.yamanashi.jp +fujikawa.yamanashi.jp +fujikawaguchiko.yamanashi.jp +fujiyoshida.yamanashi.jp +hayakawa.yamanashi.jp +hokuto.yamanashi.jp +ichikawamisato.yamanashi.jp +kai.yamanashi.jp +kofu.yamanashi.jp +koshu.yamanashi.jp +kosuge.yamanashi.jp +minami-alps.yamanashi.jp +minobu.yamanashi.jp +nakamichi.yamanashi.jp +nanbu.yamanashi.jp +narusawa.yamanashi.jp +nirasaki.yamanashi.jp +nishikatsura.yamanashi.jp +oshino.yamanashi.jp +otsuki.yamanashi.jp +showa.yamanashi.jp +tabayama.yamanashi.jp +tsuru.yamanashi.jp +uenohara.yamanashi.jp +yamanakako.yamanashi.jp +yamanashi.yamanashi.jp + +// ke : http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145 +*.ke + +// kg : http://www.domain.kg/dmn_n.html +kg +org.kg +net.kg +com.kg +edu.kg +gov.kg +mil.kg + +// kh : http://www.mptc.gov.kh/dns_registration.htm +*.kh + +// ki : http://www.ki/dns/index.html +ki +edu.ki +biz.ki +net.ki +org.ki +gov.ki +info.ki +com.ki + +// km : http://en.wikipedia.org/wiki/.km +// http://www.domaine.km/documents/charte.doc +km +org.km +nom.km +gov.km +prd.km +tm.km +edu.km +mil.km +ass.km +com.km +// These are only mentioned as proposed suggestions at domaine.km, but +// http://en.wikipedia.org/wiki/.km says they're available for registration: +coop.km +asso.km +presse.km +medecin.km +notaires.km +pharmaciens.km +veterinaire.km +gouv.km + +// kn : http://en.wikipedia.org/wiki/.kn +// http://www.dot.kn/domainRules.html +kn +net.kn +org.kn +edu.kn +gov.kn + +// kp : http://www.kcce.kp/en_index.php +kp +com.kp +edu.kp +gov.kp +org.kp +rep.kp +tra.kp + +// kr : http://en.wikipedia.org/wiki/.kr +// see also: http://domain.nida.or.kr/eng/registration.jsp +kr +ac.kr +co.kr +es.kr +go.kr +hs.kr +kg.kr +mil.kr +ms.kr +ne.kr +or.kr +pe.kr +re.kr +sc.kr +// kr geographical names +busan.kr +chungbuk.kr +chungnam.kr +daegu.kr +daejeon.kr +gangwon.kr +gwangju.kr +gyeongbuk.kr +gyeonggi.kr +gyeongnam.kr +incheon.kr +jeju.kr +jeonbuk.kr +jeonnam.kr +seoul.kr +ulsan.kr + +// kw : http://en.wikipedia.org/wiki/.kw +*.kw + +// ky : http://www.icta.ky/da_ky_reg_dom.php +// Confirmed by registry 2008-06-17 +ky +edu.ky +gov.ky +com.ky +org.ky +net.ky + +// kz : http://en.wikipedia.org/wiki/.kz +// see also: http://www.nic.kz/rules/index.jsp +kz +org.kz +edu.kz +net.kz +gov.kz +mil.kz +com.kz + +// la : http://en.wikipedia.org/wiki/.la +// Submitted by registry 2008-06-10 +la +int.la +net.la +info.la +edu.la +gov.la +per.la +com.la +org.la + +// lb : http://en.wikipedia.org/wiki/.lb +// Submitted by registry 2008-06-17 +lb +com.lb +edu.lb +gov.lb +net.lb +org.lb + +// lc : http://en.wikipedia.org/wiki/.lc +// see also: http://www.nic.lc/rules.htm +lc +com.lc +net.lc +co.lc +org.lc +edu.lc +gov.lc + +// li : http://en.wikipedia.org/wiki/.li +li + +// lk : http://www.nic.lk/seclevpr.html +lk +gov.lk +sch.lk +net.lk +int.lk +com.lk +org.lk +edu.lk +ngo.lk +soc.lk +web.lk +ltd.lk +assn.lk +grp.lk +hotel.lk + +// lr : http://psg.com/dns/lr/lr.txt +// Submitted by registry 2008-06-17 +lr +com.lr +edu.lr +gov.lr +org.lr +net.lr + +// ls : http://en.wikipedia.org/wiki/.ls +ls +co.ls +org.ls + +// lt : http://en.wikipedia.org/wiki/.lt +lt +// gov.lt : http://www.gov.lt/index_en.php +gov.lt + +// lu : http://www.dns.lu/en/ +lu + +// lv : http://www.nic.lv/DNS/En/generic.php +lv +com.lv +edu.lv +gov.lv +org.lv +mil.lv +id.lv +net.lv +asn.lv +conf.lv + +// ly : http://www.nic.ly/regulations.php +ly +com.ly +net.ly +gov.ly +plc.ly +edu.ly +sch.ly +med.ly +org.ly +id.ly + +// ma : http://en.wikipedia.org/wiki/.ma +// http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf +ma +co.ma +net.ma +gov.ma +org.ma +ac.ma +press.ma + +// mc : http://www.nic.mc/ +mc +tm.mc +asso.mc + +// md : http://en.wikipedia.org/wiki/.md +md + +// me : http://en.wikipedia.org/wiki/.me +me +co.me +net.me +org.me +edu.me +ac.me +gov.me +its.me +priv.me + +// mg : http://www.nic.mg/tarif.htm +mg +org.mg +nom.mg +gov.mg +prd.mg +tm.mg +edu.mg +mil.mg +com.mg + +// mh : http://en.wikipedia.org/wiki/.mh +mh + +// mil : http://en.wikipedia.org/wiki/.mil +mil + +// mk : http://en.wikipedia.org/wiki/.mk +// see also: http://dns.marnet.net.mk/postapka.php +mk +com.mk +org.mk +net.mk +edu.mk +gov.mk +inf.mk +name.mk + +// ml : http://www.gobin.info/domainname/ml-template.doc +// see also: http://en.wikipedia.org/wiki/.ml +ml +com.ml +edu.ml +gouv.ml +gov.ml +net.ml +org.ml +presse.ml + +// mm : http://en.wikipedia.org/wiki/.mm +*.mm + +// mn : http://en.wikipedia.org/wiki/.mn +mn +gov.mn +edu.mn +org.mn + +// mo : http://www.monic.net.mo/ +mo +com.mo +net.mo +org.mo +edu.mo +gov.mo + +// mobi : http://en.wikipedia.org/wiki/.mobi +mobi + +// mp : http://www.dot.mp/ +// Confirmed by registry 2008-06-17 +mp + +// mq : http://en.wikipedia.org/wiki/.mq +mq + +// mr : http://en.wikipedia.org/wiki/.mr +mr +gov.mr + +// ms : http://www.nic.ms/pdf/MS_Domain_Name_Rules.pdf +ms +com.ms +edu.ms +gov.ms +net.ms +org.ms + +// mt : https://www.nic.org.mt/go/policy +// Submitted by registry 2013-11-19 +mt +com.mt +edu.mt +net.mt +org.mt + +// mu : http://en.wikipedia.org/wiki/.mu +mu +com.mu +net.mu +org.mu +gov.mu +ac.mu +co.mu +or.mu + +// museum : http://about.museum/naming/ +// http://index.museum/ +museum +academy.museum +agriculture.museum +air.museum +airguard.museum +alabama.museum +alaska.museum +amber.museum +ambulance.museum +american.museum +americana.museum +americanantiques.museum +americanart.museum +amsterdam.museum +and.museum +annefrank.museum +anthro.museum +anthropology.museum +antiques.museum +aquarium.museum +arboretum.museum +archaeological.museum +archaeology.museum +architecture.museum +art.museum +artanddesign.museum +artcenter.museum +artdeco.museum +arteducation.museum +artgallery.museum +arts.museum +artsandcrafts.museum +asmatart.museum +assassination.museum +assisi.museum +association.museum +astronomy.museum +atlanta.museum +austin.museum +australia.museum +automotive.museum +aviation.museum +axis.museum +badajoz.museum +baghdad.museum +bahn.museum +bale.museum +baltimore.museum +barcelona.museum +baseball.museum +basel.museum +baths.museum +bauern.museum +beauxarts.museum +beeldengeluid.museum +bellevue.museum +bergbau.museum +berkeley.museum +berlin.museum +bern.museum +bible.museum +bilbao.museum +bill.museum +birdart.museum +birthplace.museum +bonn.museum +boston.museum +botanical.museum +botanicalgarden.museum +botanicgarden.museum +botany.museum +brandywinevalley.museum +brasil.museum +bristol.museum +british.museum +britishcolumbia.museum +broadcast.museum +brunel.museum +brussel.museum +brussels.museum +bruxelles.museum +building.museum +burghof.museum +bus.museum +bushey.museum +cadaques.museum +california.museum +cambridge.museum +can.museum +canada.museum +capebreton.museum +carrier.museum +cartoonart.museum +casadelamoneda.museum +castle.museum +castres.museum +celtic.museum +center.museum +chattanooga.museum +cheltenham.museum +chesapeakebay.museum +chicago.museum +children.museum +childrens.museum +childrensgarden.museum +chiropractic.museum +chocolate.museum +christiansburg.museum +cincinnati.museum +cinema.museum +circus.museum +civilisation.museum +civilization.museum +civilwar.museum +clinton.museum +clock.museum +coal.museum +coastaldefence.museum +cody.museum +coldwar.museum +collection.museum +colonialwilliamsburg.museum +coloradoplateau.museum +columbia.museum +columbus.museum +communication.museum +communications.museum +community.museum +computer.museum +computerhistory.museum +comunicações.museum +contemporary.museum +contemporaryart.museum +convent.museum +copenhagen.museum +corporation.museum +correios-e-telecomunicações.museum +corvette.museum +costume.museum +countryestate.museum +county.museum +crafts.museum +cranbrook.museum +creation.museum +cultural.museum +culturalcenter.museum +culture.museum +cyber.museum +cymru.museum +dali.museum +dallas.museum +database.museum +ddr.museum +decorativearts.museum +delaware.museum +delmenhorst.museum +denmark.museum +depot.museum +design.museum +detroit.museum +dinosaur.museum +discovery.museum +dolls.museum +donostia.museum +durham.museum +eastafrica.museum +eastcoast.museum +education.museum +educational.museum +egyptian.museum +eisenbahn.museum +elburg.museum +elvendrell.museum +embroidery.museum +encyclopedic.museum +england.museum +entomology.museum +environment.museum +environmentalconservation.museum +epilepsy.museum +essex.museum +estate.museum +ethnology.museum +exeter.museum +exhibition.museum +family.museum +farm.museum +farmequipment.museum +farmers.museum +farmstead.museum +field.museum +figueres.museum +filatelia.museum +film.museum +fineart.museum +finearts.museum +finland.museum +flanders.museum +florida.museum +force.museum +fortmissoula.museum +fortworth.museum +foundation.museum +francaise.museum +frankfurt.museum +franziskaner.museum +freemasonry.museum +freiburg.museum +fribourg.museum +frog.museum +fundacio.museum +furniture.museum +gallery.museum +garden.museum +gateway.museum +geelvinck.museum +gemological.museum +geology.museum +georgia.museum +giessen.museum +glas.museum +glass.museum +gorge.museum +grandrapids.museum +graz.museum +guernsey.museum +halloffame.museum +hamburg.museum +handson.museum +harvestcelebration.museum +hawaii.museum +health.museum +heimatunduhren.museum +hellas.museum +helsinki.museum +hembygdsforbund.museum +heritage.museum +histoire.museum +historical.museum +historicalsociety.museum +historichouses.museum +historisch.museum +historisches.museum +history.museum +historyofscience.museum +horology.museum +house.museum +humanities.museum +illustration.museum +imageandsound.museum +indian.museum +indiana.museum +indianapolis.museum +indianmarket.museum +intelligence.museum +interactive.museum +iraq.museum +iron.museum +isleofman.museum +jamison.museum +jefferson.museum +jerusalem.museum +jewelry.museum +jewish.museum +jewishart.museum +jfk.museum +journalism.museum +judaica.museum +judygarland.museum +juedisches.museum +juif.museum +karate.museum +karikatur.museum +kids.museum +koebenhavn.museum +koeln.museum +kunst.museum +kunstsammlung.museum +kunstunddesign.museum +labor.museum +labour.museum +lajolla.museum +lancashire.museum +landes.museum +lans.museum +läns.museum +larsson.museum +lewismiller.museum +lincoln.museum +linz.museum +living.museum +livinghistory.museum +localhistory.museum +london.museum +losangeles.museum +louvre.museum +loyalist.museum +lucerne.museum +luxembourg.museum +luzern.museum +mad.museum +madrid.museum +mallorca.museum +manchester.museum +mansion.museum +mansions.museum +manx.museum +marburg.museum +maritime.museum +maritimo.museum +maryland.museum +marylhurst.museum +media.museum +medical.museum +medizinhistorisches.museum +meeres.museum +memorial.museum +mesaverde.museum +michigan.museum +midatlantic.museum +military.museum +mill.museum +miners.museum +mining.museum +minnesota.museum +missile.museum +missoula.museum +modern.museum +moma.museum +money.museum +monmouth.museum +monticello.museum +montreal.museum +moscow.museum +motorcycle.museum +muenchen.museum +muenster.museum +mulhouse.museum +muncie.museum +museet.museum +museumcenter.museum +museumvereniging.museum +music.museum +national.museum +nationalfirearms.museum +nationalheritage.museum +nativeamerican.museum +naturalhistory.museum +naturalhistorymuseum.museum +naturalsciences.museum +nature.museum +naturhistorisches.museum +natuurwetenschappen.museum +naumburg.museum +naval.museum +nebraska.museum +neues.museum +newhampshire.museum +newjersey.museum +newmexico.museum +newport.museum +newspaper.museum +newyork.museum +niepce.museum +norfolk.museum +north.museum +nrw.museum +nuernberg.museum +nuremberg.museum +nyc.museum +nyny.museum +oceanographic.museum +oceanographique.museum +omaha.museum +online.museum +ontario.museum +openair.museum +oregon.museum +oregontrail.museum +otago.museum +oxford.museum +pacific.museum +paderborn.museum +palace.museum +paleo.museum +palmsprings.museum +panama.museum +paris.museum +pasadena.museum +pharmacy.museum +philadelphia.museum +philadelphiaarea.museum +philately.museum +phoenix.museum +photography.museum +pilots.museum +pittsburgh.museum +planetarium.museum +plantation.museum +plants.museum +plaza.museum +portal.museum +portland.museum +portlligat.museum +posts-and-telecommunications.museum +preservation.museum +presidio.museum +press.museum +project.museum +public.museum +pubol.museum +quebec.museum +railroad.museum +railway.museum +research.museum +resistance.museum +riodejaneiro.museum +rochester.museum +rockart.museum +roma.museum +russia.museum +saintlouis.museum +salem.museum +salvadordali.museum +salzburg.museum +sandiego.museum +sanfrancisco.museum +santabarbara.museum +santacruz.museum +santafe.museum +saskatchewan.museum +satx.museum +savannahga.museum +schlesisches.museum +schoenbrunn.museum +schokoladen.museum +school.museum +schweiz.museum +science.museum +scienceandhistory.museum +scienceandindustry.museum +sciencecenter.museum +sciencecenters.museum +science-fiction.museum +sciencehistory.museum +sciences.museum +sciencesnaturelles.museum +scotland.museum +seaport.museum +settlement.museum +settlers.museum +shell.museum +sherbrooke.museum +sibenik.museum +silk.museum +ski.museum +skole.museum +society.museum +sologne.museum +soundandvision.museum +southcarolina.museum +southwest.museum +space.museum +spy.museum +square.museum +stadt.museum +stalbans.museum +starnberg.museum +state.museum +stateofdelaware.museum +station.museum +steam.museum +steiermark.museum +stjohn.museum +stockholm.museum +stpetersburg.museum +stuttgart.museum +suisse.museum +surgeonshall.museum +surrey.museum +svizzera.museum +sweden.museum +sydney.museum +tank.museum +tcm.museum +technology.museum +telekommunikation.museum +television.museum +texas.museum +textile.museum +theater.museum +time.museum +timekeeping.museum +topology.museum +torino.museum +touch.museum +town.museum +transport.museum +tree.museum +trolley.museum +trust.museum +trustee.museum +uhren.museum +ulm.museum +undersea.museum +university.museum +usa.museum +usantiques.museum +usarts.museum +uscountryestate.museum +usculture.museum +usdecorativearts.museum +usgarden.museum +ushistory.museum +ushuaia.museum +uslivinghistory.museum +utah.museum +uvic.museum +valley.museum +vantaa.museum +versailles.museum +viking.museum +village.museum +virginia.museum +virtual.museum +virtuel.museum +vlaanderen.museum +volkenkunde.museum +wales.museum +wallonie.museum +war.museum +washingtondc.museum +watchandclock.museum +watch-and-clock.museum +western.museum +westfalen.museum +whaling.museum +wildlife.museum +williamsburg.museum +windmill.museum +workshop.museum +york.museum +yorkshire.museum +yosemite.museum +youth.museum +zoological.museum +zoology.museum +ירושלים.museum +иком.museum + +// mv : http://en.wikipedia.org/wiki/.mv +// "mv" included because, contra Wikipedia, google.mv exists. +mv +aero.mv +biz.mv +com.mv +coop.mv +edu.mv +gov.mv +info.mv +int.mv +mil.mv +museum.mv +name.mv +net.mv +org.mv +pro.mv + +// mw : http://www.registrar.mw/ +mw +ac.mw +biz.mw +co.mw +com.mw +coop.mw +edu.mw +gov.mw +int.mw +museum.mw +net.mw +org.mw + +// mx : http://www.nic.mx/ +// Submitted by registry 2008-06-19 +mx +com.mx +org.mx +gob.mx +edu.mx +net.mx + +// my : http://www.mynic.net.my/ +my +com.my +net.my +org.my +gov.my +edu.my +mil.my +name.my + +// mz : http://www.gobin.info/domainname/mz-template.doc +*.mz +!teledata.mz + +// na : http://www.na-nic.com.na/ +// http://www.info.na/domain/ +na +info.na +pro.na +name.na +school.na +or.na +dr.na +us.na +mx.na +ca.na +in.na +cc.na +tv.na +ws.na +mobi.na +co.na +com.na +org.na + +// name : has 2nd-level tlds, but there's no list of them +name + +// nc : http://www.cctld.nc/ +nc +asso.nc + +// ne : http://en.wikipedia.org/wiki/.ne +ne + +// net : http://en.wikipedia.org/wiki/.net +net + +// nf : http://en.wikipedia.org/wiki/.nf +nf +com.nf +net.nf +per.nf +rec.nf +web.nf +arts.nf +firm.nf +info.nf +other.nf +store.nf + +// ng : http://psg.com/dns/ng/ +ng +com.ng +edu.ng +name.ng +net.ng +org.ng +sch.ng +gov.ng +mil.ng +mobi.ng + +// ni : http://www.nic.ni/dominios.htm +*.ni + +// nl : http://www.domain-registry.nl/ace.php/c,728,122,,,,Home.html +// Confirmed by registry (with technical +// reservations) 2008-06-08 +nl + +// BV.nl will be a registry for dutch BV's (besloten vennootschap) +bv.nl + +// no : http://www.norid.no/regelverk/index.en.html +// The Norwegian registry has declined to notify us of updates. The web pages +// referenced below are the official source of the data. There is also an +// announce mailing list: +// https://postlister.uninett.no/sympa/info/norid-diskusjon +no +// Norid generic domains : http://www.norid.no/regelverk/vedlegg-c.en.html +fhs.no +vgs.no +fylkesbibl.no +folkebibl.no +museum.no +idrett.no +priv.no +// Non-Norid generic domains : http://www.norid.no/regelverk/vedlegg-d.en.html +mil.no +stat.no +dep.no +kommune.no +herad.no +// no geographical names : http://www.norid.no/regelverk/vedlegg-b.en.html +// counties +aa.no +ah.no +bu.no +fm.no +hl.no +hm.no +jan-mayen.no +mr.no +nl.no +nt.no +of.no +ol.no +oslo.no +rl.no +sf.no +st.no +svalbard.no +tm.no +tr.no +va.no +vf.no +// primary and lower secondary schools per county +gs.aa.no +gs.ah.no +gs.bu.no +gs.fm.no +gs.hl.no +gs.hm.no +gs.jan-mayen.no +gs.mr.no +gs.nl.no +gs.nt.no +gs.of.no +gs.ol.no +gs.oslo.no +gs.rl.no +gs.sf.no +gs.st.no +gs.svalbard.no +gs.tm.no +gs.tr.no +gs.va.no +gs.vf.no +// cities +akrehamn.no +åkrehamn.no +algard.no +ålgård.no +arna.no +brumunddal.no +bryne.no +bronnoysund.no +brønnøysund.no +drobak.no +drøbak.no +egersund.no +fetsund.no +floro.no +florø.no +fredrikstad.no +hokksund.no +honefoss.no +hønefoss.no +jessheim.no +jorpeland.no +jørpeland.no +kirkenes.no +kopervik.no +krokstadelva.no +langevag.no +langevåg.no +leirvik.no +mjondalen.no +mjøndalen.no +mo-i-rana.no +mosjoen.no +mosjøen.no +nesoddtangen.no +orkanger.no +osoyro.no +osøyro.no +raholt.no +råholt.no +sandnessjoen.no +sandnessjøen.no +skedsmokorset.no +slattum.no +spjelkavik.no +stathelle.no +stavern.no +stjordalshalsen.no +stjørdalshalsen.no +tananger.no +tranby.no +vossevangen.no +// communities +afjord.no +åfjord.no +agdenes.no +al.no +ål.no +alesund.no +ålesund.no +alstahaug.no +alta.no +áltá.no +alaheadju.no +álaheadju.no +alvdal.no +amli.no +åmli.no +amot.no +åmot.no +andebu.no +andoy.no +andøy.no +andasuolo.no +ardal.no +årdal.no +aremark.no +arendal.no +ås.no +aseral.no +åseral.no +asker.no +askim.no +askvoll.no +askoy.no +askøy.no +asnes.no +åsnes.no +audnedaln.no +aukra.no +aure.no +aurland.no +aurskog-holand.no +aurskog-høland.no +austevoll.no +austrheim.no +averoy.no +averøy.no +balestrand.no +ballangen.no +balat.no +bálát.no +balsfjord.no +bahccavuotna.no +báhccavuotna.no +bamble.no +bardu.no +beardu.no +beiarn.no +bajddar.no +bájddar.no +baidar.no +báidár.no +berg.no +bergen.no +berlevag.no +berlevåg.no +bearalvahki.no +bearalváhki.no +bindal.no +birkenes.no +bjarkoy.no +bjarkøy.no +bjerkreim.no +bjugn.no +bodo.no +bodø.no +badaddja.no +bådåddjå.no +budejju.no +bokn.no +bremanger.no +bronnoy.no +brønnøy.no +bygland.no +bykle.no +barum.no +bærum.no +bo.telemark.no +bø.telemark.no +bo.nordland.no +bø.nordland.no +bievat.no +bievát.no +bomlo.no +bømlo.no +batsfjord.no +båtsfjord.no +bahcavuotna.no +báhcavuotna.no +dovre.no +drammen.no +drangedal.no +dyroy.no +dyrøy.no +donna.no +dønna.no +eid.no +eidfjord.no +eidsberg.no +eidskog.no +eidsvoll.no +eigersund.no +elverum.no +enebakk.no +engerdal.no +etne.no +etnedal.no +evenes.no +evenassi.no +evenášši.no +evje-og-hornnes.no +farsund.no +fauske.no +fuossko.no +fuoisku.no +fedje.no +fet.no +finnoy.no +finnøy.no +fitjar.no +fjaler.no +fjell.no +flakstad.no +flatanger.no +flekkefjord.no +flesberg.no +flora.no +fla.no +flå.no +folldal.no +forsand.no +fosnes.no +frei.no +frogn.no +froland.no +frosta.no +frana.no +fræna.no +froya.no +frøya.no +fusa.no +fyresdal.no +forde.no +førde.no +gamvik.no +gangaviika.no +gáŋgaviika.no +gaular.no +gausdal.no +gildeskal.no +gildeskål.no +giske.no +gjemnes.no +gjerdrum.no +gjerstad.no +gjesdal.no +gjovik.no +gjøvik.no +gloppen.no +gol.no +gran.no +grane.no +granvin.no +gratangen.no +grimstad.no +grong.no +kraanghke.no +kråanghke.no +grue.no +gulen.no +hadsel.no +halden.no +halsa.no +hamar.no +hamaroy.no +habmer.no +hábmer.no +hapmir.no +hápmir.no +hammerfest.no +hammarfeasta.no +hámmárfeasta.no +haram.no +hareid.no +harstad.no +hasvik.no +aknoluokta.no +ákŋoluokta.no +hattfjelldal.no +aarborte.no +haugesund.no +hemne.no +hemnes.no +hemsedal.no +heroy.more-og-romsdal.no +herøy.møre-og-romsdal.no +heroy.nordland.no +herøy.nordland.no +hitra.no +hjartdal.no +hjelmeland.no +hobol.no +hobøl.no +hof.no +hol.no +hole.no +holmestrand.no +holtalen.no +holtålen.no +hornindal.no +horten.no +hurdal.no +hurum.no +hvaler.no +hyllestad.no +hagebostad.no +hægebostad.no +hoyanger.no +høyanger.no +hoylandet.no +høylandet.no +ha.no +hå.no +ibestad.no +inderoy.no +inderøy.no +iveland.no +jevnaker.no +jondal.no +jolster.no +jølster.no +karasjok.no +karasjohka.no +kárášjohka.no +karlsoy.no +galsa.no +gálsá.no +karmoy.no +karmøy.no +kautokeino.no +guovdageaidnu.no +klepp.no +klabu.no +klæbu.no +kongsberg.no +kongsvinger.no +kragero.no +kragerø.no +kristiansand.no +kristiansund.no +krodsherad.no +krødsherad.no +kvalsund.no +rahkkeravju.no +ráhkkerávju.no +kvam.no +kvinesdal.no +kvinnherad.no +kviteseid.no +kvitsoy.no +kvitsøy.no +kvafjord.no +kvæfjord.no +giehtavuoatna.no +kvanangen.no +kvænangen.no +navuotna.no +návuotna.no +kafjord.no +kåfjord.no +gaivuotna.no +gáivuotna.no +larvik.no +lavangen.no +lavagis.no +loabat.no +loabát.no +lebesby.no +davvesiida.no +leikanger.no +leirfjord.no +leka.no +leksvik.no +lenvik.no +leangaviika.no +leaŋgaviika.no +lesja.no +levanger.no +lier.no +lierne.no +lillehammer.no +lillesand.no +lindesnes.no +lindas.no +lindås.no +lom.no +loppa.no +lahppi.no +láhppi.no +lund.no +lunner.no +luroy.no +lurøy.no +luster.no +lyngdal.no +lyngen.no +ivgu.no +lardal.no +lerdal.no +lærdal.no +lodingen.no +lødingen.no +lorenskog.no +lørenskog.no +loten.no +løten.no +malvik.no +masoy.no +måsøy.no +muosat.no +muosát.no +mandal.no +marker.no +marnardal.no +masfjorden.no +meland.no +meldal.no +melhus.no +meloy.no +meløy.no +meraker.no +meråker.no +moareke.no +moåreke.no +midsund.no +midtre-gauldal.no +modalen.no +modum.no +molde.no +moskenes.no +moss.no +mosvik.no +malselv.no +målselv.no +malatvuopmi.no +málatvuopmi.no +namdalseid.no +aejrie.no +namsos.no +namsskogan.no +naamesjevuemie.no +nååmesjevuemie.no +laakesvuemie.no +nannestad.no +narvik.no +narviika.no +naustdal.no +nedre-eiker.no +nes.akershus.no +nes.buskerud.no +nesna.no +nesodden.no +nesseby.no +unjarga.no +unjárga.no +nesset.no +nissedal.no +nittedal.no +nord-aurdal.no +nord-fron.no +nord-odal.no +norddal.no +nordkapp.no +davvenjarga.no +davvenjárga.no +nordre-land.no +nordreisa.no +raisa.no +ráisa.no +nore-og-uvdal.no +notodden.no +naroy.no +nærøy.no +notteroy.no +nøtterøy.no +odda.no +oksnes.no +øksnes.no +oppdal.no +oppegard.no +oppegård.no +orkdal.no +orland.no +ørland.no +orskog.no +ørskog.no +orsta.no +ørsta.no +os.hedmark.no +os.hordaland.no +osen.no +osteroy.no +osterøy.no +ostre-toten.no +østre-toten.no +overhalla.no +ovre-eiker.no +øvre-eiker.no +oyer.no +øyer.no +oygarden.no +øygarden.no +oystre-slidre.no +øystre-slidre.no +porsanger.no +porsangu.no +porsáŋgu.no +porsgrunn.no +radoy.no +radøy.no +rakkestad.no +rana.no +ruovat.no +randaberg.no +rauma.no +rendalen.no +rennebu.no +rennesoy.no +rennesøy.no +rindal.no +ringebu.no +ringerike.no +ringsaker.no +rissa.no +risor.no +risør.no +roan.no +rollag.no +rygge.no +ralingen.no +rælingen.no +rodoy.no +rødøy.no +romskog.no +rømskog.no +roros.no +røros.no +rost.no +røst.no +royken.no +røyken.no +royrvik.no +røyrvik.no +rade.no +råde.no +salangen.no +siellak.no +saltdal.no +salat.no +sálát.no +sálat.no +samnanger.no +sande.more-og-romsdal.no +sande.møre-og-romsdal.no +sande.vestfold.no +sandefjord.no +sandnes.no +sandoy.no +sandøy.no +sarpsborg.no +sauda.no +sauherad.no +sel.no +selbu.no +selje.no +seljord.no +sigdal.no +siljan.no +sirdal.no +skaun.no +skedsmo.no +ski.no +skien.no +skiptvet.no +skjervoy.no +skjervøy.no +skierva.no +skiervá.no +skjak.no +skjåk.no +skodje.no +skanland.no +skånland.no +skanit.no +skánit.no +smola.no +smøla.no +snillfjord.no +snasa.no +snåsa.no +snoasa.no +snaase.no +snåase.no +sogndal.no +sokndal.no +sola.no +solund.no +songdalen.no +sortland.no +spydeberg.no +stange.no +stavanger.no +steigen.no +steinkjer.no +stjordal.no +stjørdal.no +stokke.no +stor-elvdal.no +stord.no +stordal.no +storfjord.no +omasvuotna.no +strand.no +stranda.no +stryn.no +sula.no +suldal.no +sund.no +sunndal.no +surnadal.no +sveio.no +svelvik.no +sykkylven.no +sogne.no +søgne.no +somna.no +sømna.no +sondre-land.no +søndre-land.no +sor-aurdal.no +sør-aurdal.no +sor-fron.no +sør-fron.no +sor-odal.no +sør-odal.no +sor-varanger.no +sør-varanger.no +matta-varjjat.no +mátta-várjjat.no +sorfold.no +sørfold.no +sorreisa.no +sørreisa.no +sorum.no +sørum.no +tana.no +deatnu.no +time.no +tingvoll.no +tinn.no +tjeldsund.no +dielddanuorri.no +tjome.no +tjøme.no +tokke.no +tolga.no +torsken.no +tranoy.no +tranøy.no +tromso.no +tromsø.no +tromsa.no +romsa.no +trondheim.no +troandin.no +trysil.no +trana.no +træna.no +trogstad.no +trøgstad.no +tvedestrand.no +tydal.no +tynset.no +tysfjord.no +divtasvuodna.no +divttasvuotna.no +tysnes.no +tysvar.no +tysvær.no +tonsberg.no +tønsberg.no +ullensaker.no +ullensvang.no +ulvik.no +utsira.no +vadso.no +vadsø.no +cahcesuolo.no +čáhcesuolo.no +vaksdal.no +valle.no +vang.no +vanylven.no +vardo.no +vardø.no +varggat.no +várggát.no +vefsn.no +vaapste.no +vega.no +vegarshei.no +vegårshei.no +vennesla.no +verdal.no +verran.no +vestby.no +vestnes.no +vestre-slidre.no +vestre-toten.no +vestvagoy.no +vestvågøy.no +vevelstad.no +vik.no +vikna.no +vindafjord.no +volda.no +voss.no +varoy.no +værøy.no +vagan.no +vågan.no +voagat.no +vagsoy.no +vågsøy.no +vaga.no +vågå.no +valer.ostfold.no +våler.østfold.no +valer.hedmark.no +våler.hedmark.no + +// np : http://www.mos.com.np/register.html +*.np + +// nr : http://cenpac.net.nr/dns/index.html +// Confirmed by registry 2008-06-17 +nr +biz.nr +info.nr +gov.nr +edu.nr +org.nr +net.nr +com.nr + +// nu : http://en.wikipedia.org/wiki/.nu +nu + +// nz : http://en.wikipedia.org/wiki/.nz +// Confirmed by registry 2014-05-19 +nz +ac.nz +co.nz +cri.nz +geek.nz +gen.nz +govt.nz +health.nz +iwi.nz +kiwi.nz +maori.nz +mil.nz +māori.nz +net.nz +org.nz +parliament.nz +school.nz + +// om : http://en.wikipedia.org/wiki/.om +om +co.om +com.om +edu.om +gov.om +med.om +museum.om +net.om +org.om +pro.om + +// org : http://en.wikipedia.org/wiki/.org +org + +// pa : http://www.nic.pa/ +// Some additional second level "domains" resolve directly as hostnames, such as +// pannet.pa, so we add a rule for "pa". +pa +ac.pa +gob.pa +com.pa +org.pa +sld.pa +edu.pa +net.pa +ing.pa +abo.pa +med.pa +nom.pa + +// pe : https://www.nic.pe/InformeFinalComision.pdf +pe +edu.pe +gob.pe +nom.pe +mil.pe +org.pe +com.pe +net.pe + +// pf : http://www.gobin.info/domainname/formulaire-pf.pdf +pf +com.pf +org.pf +edu.pf + +// pg : http://en.wikipedia.org/wiki/.pg +*.pg + +// ph : http://www.domains.ph/FAQ2.asp +// Submitted by registry 2008-06-13 +ph +com.ph +net.ph +org.ph +gov.ph +edu.ph +ngo.ph +mil.ph +i.ph + +// pk : http://pk5.pknic.net.pk/pk5/msgNamepk.PK +pk +com.pk +net.pk +edu.pk +org.pk +fam.pk +biz.pk +web.pk +gov.pk +gob.pk +gok.pk +gon.pk +gop.pk +gos.pk +info.pk + +// pl http://www.dns.pl/english/index.html +// confirmed on 26.09.2014 from Bogna Tchórzewska +pl +com.pl +net.pl +org.pl +info.pl +waw.pl +gov.pl +// pl functional domains (http://www.dns.pl/english/index.html) +aid.pl +agro.pl +atm.pl +auto.pl +biz.pl +edu.pl +gmina.pl +gsm.pl +mail.pl +miasta.pl +media.pl +mil.pl +nieruchomosci.pl +nom.pl +pc.pl +powiat.pl +priv.pl +realestate.pl +rel.pl +sex.pl +shop.pl +sklep.pl +sos.pl +szkola.pl +targi.pl +tm.pl +tourism.pl +travel.pl +turystyka.pl +// Government domains (administred by ippt.gov.pl) +uw.gov.pl +um.gov.pl +ug.gov.pl +upow.gov.pl +starostwo.gov.pl +so.gov.pl +sr.gov.pl +po.gov.pl +pa.gov.pl +// pl regional domains (http://www.dns.pl/english/index.html) +augustow.pl +babia-gora.pl +bedzin.pl +beskidy.pl +bialowieza.pl +bialystok.pl +bielawa.pl +bieszczady.pl +boleslawiec.pl +bydgoszcz.pl +bytom.pl +cieszyn.pl +czeladz.pl +czest.pl +dlugoleka.pl +elblag.pl +elk.pl +glogow.pl +gniezno.pl +gorlice.pl +grajewo.pl +ilawa.pl +jaworzno.pl +jelenia-gora.pl +jgora.pl +kalisz.pl +kazimierz-dolny.pl +karpacz.pl +kartuzy.pl +kaszuby.pl +katowice.pl +kepno.pl +ketrzyn.pl +klodzko.pl +kobierzyce.pl +kolobrzeg.pl +konin.pl +konskowola.pl +kutno.pl +lapy.pl +lebork.pl +legnica.pl +lezajsk.pl +limanowa.pl +lomza.pl +lowicz.pl +lubin.pl +lukow.pl +malbork.pl +malopolska.pl +mazowsze.pl +mazury.pl +mielec.pl +mielno.pl +mragowo.pl +naklo.pl +nowaruda.pl +nysa.pl +olawa.pl +olecko.pl +olkusz.pl +olsztyn.pl +opoczno.pl +opole.pl +ostroda.pl +ostroleka.pl +ostrowiec.pl +ostrowwlkp.pl +pila.pl +pisz.pl +podhale.pl +podlasie.pl +polkowice.pl +pomorze.pl +pomorskie.pl +prochowice.pl +pruszkow.pl +przeworsk.pl +pulawy.pl +radom.pl +rawa-maz.pl +rybnik.pl +rzeszow.pl +sanok.pl +sejny.pl +slask.pl +slupsk.pl +sosnowiec.pl +stalowa-wola.pl +skoczow.pl +starachowice.pl +stargard.pl +suwalki.pl +swidnica.pl +swiebodzin.pl +swinoujscie.pl +szczecin.pl +szczytno.pl +tarnobrzeg.pl +tgory.pl +turek.pl +tychy.pl +ustka.pl +walbrzych.pl +warmia.pl +warszawa.pl +wegrow.pl +wielun.pl +wlocl.pl +wloclawek.pl +wodzislaw.pl +wolomin.pl +wroclaw.pl +zachpomor.pl +zagan.pl +zarow.pl +zgora.pl +zgorzelec.pl + +// pm : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +pm + +// pn : http://www.government.pn/PnRegistry/policies.htm +pn +gov.pn +co.pn +org.pn +edu.pn +net.pn + +// post : http://en.wikipedia.org/wiki/.post +post + +// pr : http://www.nic.pr/index.asp?f=1 +pr +com.pr +net.pr +org.pr +gov.pr +edu.pr +isla.pr +pro.pr +biz.pr +info.pr +name.pr +// these aren't mentioned on nic.pr, but on http://en.wikipedia.org/wiki/.pr +est.pr +prof.pr +ac.pr + +// pro : http://www.nic.pro/support_faq.htm +pro +aca.pro +bar.pro +cpa.pro +jur.pro +law.pro +med.pro +eng.pro + +// ps : http://en.wikipedia.org/wiki/.ps +// http://www.nic.ps/registration/policy.html#reg +ps +edu.ps +gov.ps +sec.ps +plo.ps +com.ps +org.ps +net.ps + +// pt : http://online.dns.pt/dns/start_dns +pt +net.pt +gov.pt +org.pt +edu.pt +int.pt +publ.pt +com.pt +nome.pt + +// pw : http://en.wikipedia.org/wiki/.pw +pw +co.pw +ne.pw +or.pw +ed.pw +go.pw +belau.pw + +// py : http://www.nic.py/pautas.html#seccion_9 +// Confirmed by registry 2012-10-03 +py +com.py +coop.py +edu.py +gov.py +mil.py +net.py +org.py + +// qa : http://domains.qa/en/ +qa +com.qa +edu.qa +gov.qa +mil.qa +name.qa +net.qa +org.qa +sch.qa + +// re : http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs +re +com.re +asso.re +nom.re + +// ro : http://www.rotld.ro/ +ro +com.ro +org.ro +tm.ro +nt.ro +nom.ro +info.ro +rec.ro +arts.ro +firm.ro +store.ro +www.ro + +// rs : http://en.wikipedia.org/wiki/.rs +rs +co.rs +org.rs +edu.rs +ac.rs +gov.rs +in.rs + +// ru : http://www.cctld.ru/ru/docs/aktiv_8.php +// Industry domains +ru +ac.ru +com.ru +edu.ru +int.ru +net.ru +org.ru +pp.ru +// Geographical domains +adygeya.ru +altai.ru +amur.ru +arkhangelsk.ru +astrakhan.ru +bashkiria.ru +belgorod.ru +bir.ru +bryansk.ru +buryatia.ru +cbg.ru +chel.ru +chelyabinsk.ru +chita.ru +chukotka.ru +chuvashia.ru +dagestan.ru +dudinka.ru +e-burg.ru +grozny.ru +irkutsk.ru +ivanovo.ru +izhevsk.ru +jar.ru +joshkar-ola.ru +kalmykia.ru +kaluga.ru +kamchatka.ru +karelia.ru +kazan.ru +kchr.ru +kemerovo.ru +khabarovsk.ru +khakassia.ru +khv.ru +kirov.ru +koenig.ru +komi.ru +kostroma.ru +krasnoyarsk.ru +kuban.ru +kurgan.ru +kursk.ru +lipetsk.ru +magadan.ru +mari.ru +mari-el.ru +marine.ru +mordovia.ru +// mosreg.ru Bug 1090800 - removed at request of Aleksey Konstantinov +msk.ru +murmansk.ru +nalchik.ru +nnov.ru +nov.ru +novosibirsk.ru +nsk.ru +omsk.ru +orenburg.ru +oryol.ru +palana.ru +penza.ru +perm.ru +ptz.ru +rnd.ru +ryazan.ru +sakhalin.ru +samara.ru +saratov.ru +simbirsk.ru +smolensk.ru +spb.ru +stavropol.ru +stv.ru +surgut.ru +tambov.ru +tatarstan.ru +tom.ru +tomsk.ru +tsaritsyn.ru +tsk.ru +tula.ru +tuva.ru +tver.ru +tyumen.ru +udm.ru +udmurtia.ru +ulan-ude.ru +vladikavkaz.ru +vladimir.ru +vladivostok.ru +volgograd.ru +vologda.ru +voronezh.ru +vrn.ru +vyatka.ru +yakutia.ru +yamal.ru +yaroslavl.ru +yekaterinburg.ru +yuzhno-sakhalinsk.ru +// More geographical domains +amursk.ru +baikal.ru +cmw.ru +fareast.ru +jamal.ru +kms.ru +k-uralsk.ru +kustanai.ru +kuzbass.ru +magnitka.ru +mytis.ru +nakhodka.ru +nkz.ru +norilsk.ru +oskol.ru +pyatigorsk.ru +rubtsovsk.ru +snz.ru +syzran.ru +vdonsk.ru +zgrad.ru +// State domains +gov.ru +mil.ru +// Technical domains +test.ru + +// rw : http://www.nic.rw/cgi-bin/policy.pl +rw +gov.rw +net.rw +edu.rw +ac.rw +com.rw +co.rw +int.rw +mil.rw +gouv.rw + +// sa : http://www.nic.net.sa/ +sa +com.sa +net.sa +org.sa +gov.sa +med.sa +pub.sa +edu.sa +sch.sa + +// sb : http://www.sbnic.net.sb/ +// Submitted by registry 2008-06-08 +sb +com.sb +edu.sb +gov.sb +net.sb +org.sb + +// sc : http://www.nic.sc/ +sc +com.sc +gov.sc +net.sc +org.sc +edu.sc + +// sd : http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm +// Submitted by registry 2008-06-17 +sd +com.sd +net.sd +org.sd +edu.sd +med.sd +tv.sd +gov.sd +info.sd + +// se : http://en.wikipedia.org/wiki/.se +// Submitted by registry 2014-03-18 +se +a.se +ac.se +b.se +bd.se +brand.se +c.se +d.se +e.se +f.se +fh.se +fhsk.se +fhv.se +g.se +h.se +i.se +k.se +komforb.se +kommunalforbund.se +komvux.se +l.se +lanbib.se +m.se +n.se +naturbruksgymn.se +o.se +org.se +p.se +parti.se +pp.se +press.se +r.se +s.se +t.se +tm.se +u.se +w.se +x.se +y.se +z.se + +// sg : http://www.nic.net.sg/page/registration-policies-procedures-and-guidelines +sg +com.sg +net.sg +org.sg +gov.sg +edu.sg +per.sg + +// sh : http://www.nic.sh/registrar.html +sh +com.sh +net.sh +gov.sh +org.sh +mil.sh + +// si : http://en.wikipedia.org/wiki/.si +si + +// sj : No registrations at this time. +// Submitted by registry 2008-06-16 +sj + +// sk : http://en.wikipedia.org/wiki/.sk +// list of 2nd level domains ? +sk + +// sl : http://www.nic.sl +// Submitted by registry 2008-06-12 +sl +com.sl +net.sl +edu.sl +gov.sl +org.sl + +// sm : http://en.wikipedia.org/wiki/.sm +sm + +// sn : http://en.wikipedia.org/wiki/.sn +sn +art.sn +com.sn +edu.sn +gouv.sn +org.sn +perso.sn +univ.sn + +// so : http://www.soregistry.com/ +so +com.so +net.so +org.so + +// sr : http://en.wikipedia.org/wiki/.sr +sr + +// st : http://www.nic.st/html/policyrules/ +st +co.st +com.st +consulado.st +edu.st +embaixada.st +gov.st +mil.st +net.st +org.st +principe.st +saotome.st +store.st + +// su : http://en.wikipedia.org/wiki/.su +su + +// sv : http://www.svnet.org.sv/niveldos.pdf +sv +com.sv +edu.sv +gob.sv +org.sv +red.sv + +// sx : http://en.wikipedia.org/wiki/.sx +// Confirmed by registry 2012-05-31 +sx +gov.sx + +// sy : http://en.wikipedia.org/wiki/.sy +// see also: http://www.gobin.info/domainname/sy.doc +sy +edu.sy +gov.sy +net.sy +mil.sy +com.sy +org.sy + +// sz : http://en.wikipedia.org/wiki/.sz +// http://www.sispa.org.sz/ +sz +co.sz +ac.sz +org.sz + +// tc : http://en.wikipedia.org/wiki/.tc +tc + +// td : http://en.wikipedia.org/wiki/.td +td + +// tel: http://en.wikipedia.org/wiki/.tel +// http://www.telnic.org/ +tel + +// tf : http://en.wikipedia.org/wiki/.tf +tf + +// tg : http://en.wikipedia.org/wiki/.tg +// http://www.nic.tg/ +tg + +// th : http://en.wikipedia.org/wiki/.th +// Submitted by registry 2008-06-17 +th +ac.th +co.th +go.th +in.th +mi.th +net.th +or.th + +// tj : http://www.nic.tj/policy.html +tj +ac.tj +biz.tj +co.tj +com.tj +edu.tj +go.tj +gov.tj +int.tj +mil.tj +name.tj +net.tj +nic.tj +org.tj +test.tj +web.tj + +// tk : http://en.wikipedia.org/wiki/.tk +tk + +// tl : http://en.wikipedia.org/wiki/.tl +tl +gov.tl + +// tm : http://www.nic.tm/local.html +tm +com.tm +co.tm +org.tm +net.tm +nom.tm +gov.tm +mil.tm +edu.tm + +// tn : http://en.wikipedia.org/wiki/.tn +// http://whois.ati.tn/ +tn +com.tn +ens.tn +fin.tn +gov.tn +ind.tn +intl.tn +nat.tn +net.tn +org.tn +info.tn +perso.tn +tourism.tn +edunet.tn +rnrt.tn +rns.tn +rnu.tn +mincom.tn +agrinet.tn +defense.tn +turen.tn + +// to : http://en.wikipedia.org/wiki/.to +// Submitted by registry 2008-06-17 +to +com.to +gov.to +net.to +org.to +edu.to +mil.to + +// tp : No registrations at this time. +// Submitted by Ryan Sleevi 2014-01-03 +tp + +// subTLDs: https://www.nic.tr/forms/eng/policies.pdf +// and: https://www.nic.tr/forms/politikalar.pdf +// Submitted by 2014-07-19 +tr +com.tr +info.tr +biz.tr +net.tr +org.tr +web.tr +gen.tr +tv.tr +av.tr +dr.tr +bbs.tr +name.tr +tel.tr +gov.tr +bel.tr +pol.tr +mil.tr +k12.tr +edu.tr +kep.tr + +// Used by Northern Cyprus +nc.tr + +// Used by government agencies of Northern Cyprus +gov.nc.tr + +// travel : http://en.wikipedia.org/wiki/.travel +travel + +// tt : http://www.nic.tt/ +tt +co.tt +com.tt +org.tt +net.tt +biz.tt +info.tt +pro.tt +int.tt +coop.tt +jobs.tt +mobi.tt +travel.tt +museum.tt +aero.tt +name.tt +gov.tt +edu.tt + +// tv : http://en.wikipedia.org/wiki/.tv +// Not listing any 2LDs as reserved since none seem to exist in practice, +// Wikipedia notwithstanding. +tv + +// tw : http://en.wikipedia.org/wiki/.tw +tw +edu.tw +gov.tw +mil.tw +com.tw +net.tw +org.tw +idv.tw +game.tw +ebiz.tw +club.tw +網路.tw +組織.tw +商業.tw + +// tz : http://www.tznic.or.tz/index.php/domains +// Confirmed by registry 2013-01-22 +tz +ac.tz +co.tz +go.tz +hotel.tz +info.tz +me.tz +mil.tz +mobi.tz +ne.tz +or.tz +sc.tz +tv.tz + +// ua : https://hostmaster.ua/policy/?ua +// Submitted by registry 2012-04-27 +ua +// ua 2LD +com.ua +edu.ua +gov.ua +in.ua +net.ua +org.ua +// ua geographic names +// https://hostmaster.ua/2ld/ +cherkassy.ua +cherkasy.ua +chernigov.ua +chernihiv.ua +chernivtsi.ua +chernovtsy.ua +ck.ua +cn.ua +cr.ua +crimea.ua +cv.ua +dn.ua +dnepropetrovsk.ua +dnipropetrovsk.ua +dominic.ua +donetsk.ua +dp.ua +if.ua +ivano-frankivsk.ua +kh.ua +kharkiv.ua +kharkov.ua +kherson.ua +khmelnitskiy.ua +khmelnytskyi.ua +kiev.ua +kirovograd.ua +km.ua +kr.ua +krym.ua +ks.ua +kv.ua +kyiv.ua +lg.ua +lt.ua +lugansk.ua +lutsk.ua +lv.ua +lviv.ua +mk.ua +mykolaiv.ua +nikolaev.ua +od.ua +odesa.ua +odessa.ua +pl.ua +poltava.ua +rivne.ua +rovno.ua +rv.ua +sb.ua +sebastopol.ua +sevastopol.ua +sm.ua +sumy.ua +te.ua +ternopil.ua +uz.ua +uzhgorod.ua +vinnica.ua +vinnytsia.ua +vn.ua +volyn.ua +yalta.ua +zaporizhzhe.ua +zaporizhzhia.ua +zhitomir.ua +zhytomyr.ua +zp.ua +zt.ua + +// Private registries in .ua +co.ua +pp.ua + +// ug : https://www.registry.co.ug/ +ug +co.ug +or.ug +ac.ug +sc.ug +go.ug +ne.ug +com.ug +org.ug + +// uk : http://en.wikipedia.org/wiki/.uk +// Submitted by registry +uk +ac.uk +co.uk +gov.uk +ltd.uk +me.uk +net.uk +nhs.uk +org.uk +plc.uk +police.uk +*.sch.uk + +// us : http://en.wikipedia.org/wiki/.us +us +dni.us +fed.us +isa.us +kids.us +nsn.us +// us geographic names +ak.us +al.us +ar.us +as.us +az.us +ca.us +co.us +ct.us +dc.us +de.us +fl.us +ga.us +gu.us +hi.us +ia.us +id.us +il.us +in.us +ks.us +ky.us +la.us +ma.us +md.us +me.us +mi.us +mn.us +mo.us +ms.us +mt.us +nc.us +nd.us +ne.us +nh.us +nj.us +nm.us +nv.us +ny.us +oh.us +ok.us +or.us +pa.us +pr.us +ri.us +sc.us +sd.us +tn.us +tx.us +ut.us +vi.us +vt.us +va.us +wa.us +wi.us +wv.us +wy.us +// The registrar notes several more specific domains available in each state, +// such as state.*.us, dst.*.us, etc., but resolution of these is somewhat +// haphazard; in some states these domains resolve as addresses, while in others +// only subdomains are available, or even nothing at all. We include the +// most common ones where it's clear that different sites are different +// entities. +k12.ak.us +k12.al.us +k12.ar.us +k12.as.us +k12.az.us +k12.ca.us +k12.co.us +k12.ct.us +k12.dc.us +k12.de.us +k12.fl.us +k12.ga.us +k12.gu.us +// k12.hi.us Bug 614565 - Hawaii has a state-wide DOE login +k12.ia.us +k12.id.us +k12.il.us +k12.in.us +k12.ks.us +k12.ky.us +k12.la.us +k12.ma.us +k12.md.us +k12.me.us +k12.mi.us +k12.mn.us +k12.mo.us +k12.ms.us +k12.mt.us +k12.nc.us +// k12.nd.us Bug 1028347 - Removed at request of Travis Rosso +k12.ne.us +k12.nh.us +k12.nj.us +k12.nm.us +k12.nv.us +k12.ny.us +k12.oh.us +k12.ok.us +k12.or.us +k12.pa.us +k12.pr.us +k12.ri.us +k12.sc.us +// k12.sd.us Bug 934131 - Removed at request of James Booze +k12.tn.us +k12.tx.us +k12.ut.us +k12.vi.us +k12.vt.us +k12.va.us +k12.wa.us +k12.wi.us +// k12.wv.us Bug 947705 - Removed at request of Verne Britton +k12.wy.us +cc.ak.us +cc.al.us +cc.ar.us +cc.as.us +cc.az.us +cc.ca.us +cc.co.us +cc.ct.us +cc.dc.us +cc.de.us +cc.fl.us +cc.ga.us +cc.gu.us +cc.hi.us +cc.ia.us +cc.id.us +cc.il.us +cc.in.us +cc.ks.us +cc.ky.us +cc.la.us +cc.ma.us +cc.md.us +cc.me.us +cc.mi.us +cc.mn.us +cc.mo.us +cc.ms.us +cc.mt.us +cc.nc.us +cc.nd.us +cc.ne.us +cc.nh.us +cc.nj.us +cc.nm.us +cc.nv.us +cc.ny.us +cc.oh.us +cc.ok.us +cc.or.us +cc.pa.us +cc.pr.us +cc.ri.us +cc.sc.us +cc.sd.us +cc.tn.us +cc.tx.us +cc.ut.us +cc.vi.us +cc.vt.us +cc.va.us +cc.wa.us +cc.wi.us +cc.wv.us +cc.wy.us +lib.ak.us +lib.al.us +lib.ar.us +lib.as.us +lib.az.us +lib.ca.us +lib.co.us +lib.ct.us +lib.dc.us +lib.de.us +lib.fl.us +lib.ga.us +lib.gu.us +lib.hi.us +lib.ia.us +lib.id.us +lib.il.us +lib.in.us +lib.ks.us +lib.ky.us +lib.la.us +lib.ma.us +lib.md.us +lib.me.us +lib.mi.us +lib.mn.us +lib.mo.us +lib.ms.us +lib.mt.us +lib.nc.us +lib.nd.us +lib.ne.us +lib.nh.us +lib.nj.us +lib.nm.us +lib.nv.us +lib.ny.us +lib.oh.us +lib.ok.us +lib.or.us +lib.pa.us +lib.pr.us +lib.ri.us +lib.sc.us +lib.sd.us +lib.tn.us +lib.tx.us +lib.ut.us +lib.vi.us +lib.vt.us +lib.va.us +lib.wa.us +lib.wi.us +// lib.wv.us Bug 941670 - Removed at request of Larry W Arnold +lib.wy.us +// k12.ma.us contains school districts in Massachusetts. The 4LDs are +// managed indepedently except for private (PVT), charter (CHTR) and +// parochial (PAROCH) schools. Those are delegated dorectly to the +// 5LD operators. +pvt.k12.ma.us +chtr.k12.ma.us +paroch.k12.ma.us + +// uy : http://www.nic.org.uy/ +uy +com.uy +edu.uy +gub.uy +mil.uy +net.uy +org.uy + +// uz : http://www.reg.uz/ +uz +co.uz +com.uz +net.uz +org.uz + +// va : http://en.wikipedia.org/wiki/.va +va + +// vc : http://en.wikipedia.org/wiki/.vc +// Submitted by registry 2008-06-13 +vc +com.vc +net.vc +org.vc +gov.vc +mil.vc +edu.vc + +// ve : https://registro.nic.ve/ +// Confirmed by registry 2012-10-04 +// Updated 2014-05-20 - Bug 940478 +ve +arts.ve +co.ve +com.ve +e12.ve +edu.ve +firm.ve +gob.ve +gov.ve +info.ve +int.ve +mil.ve +net.ve +org.ve +rec.ve +store.ve +tec.ve +web.ve + +// vg : http://en.wikipedia.org/wiki/.vg +vg + +// vi : http://www.nic.vi/newdomainform.htm +// http://www.nic.vi/Domain_Rules/body_domain_rules.html indicates some other +// TLDs are "reserved", such as edu.vi and gov.vi, but doesn't actually say they +// are available for registration (which they do not seem to be). +vi +co.vi +com.vi +k12.vi +net.vi +org.vi + +// vn : https://www.dot.vn/vnnic/vnnic/domainregistration.jsp +vn +com.vn +net.vn +org.vn +edu.vn +gov.vn +int.vn +ac.vn +biz.vn +info.vn +name.vn +pro.vn +health.vn + +// vu : http://en.wikipedia.org/wiki/.vu +// http://www.vunic.vu/ +vu +com.vu +edu.vu +net.vu +org.vu + +// wf : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +wf + +// ws : http://en.wikipedia.org/wiki/.ws +// http://samoanic.ws/index.dhtml +ws +com.ws +net.ws +org.ws +gov.ws +edu.ws + +// yt : http://www.afnic.fr/medias/documents/AFNIC-naming-policy2012.pdf +yt + +// IDN ccTLDs +// Please sort by ISO 3166 ccTLD, then punicode string +// when submitting patches and follow this format: +// ("" ) : +// [optional sponsoring org] +// + +// xn--mgbaam7a8h ("Emerat" Arabic) : AE +// http://nic.ae/english/arabicdomain/rules.jsp +امارات + +// xn--54b7fta0cc ("Bangla" Bangla) : BD +বাংলা + +// xn--fiqs8s ("China" Chinese-Han-Simplified <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中国 + +// xn--fiqz9s ("China" Chinese-Han-Traditional <.Zhongguo>) : CN +// CNNIC +// http://cnnic.cn/html/Dir/2005/10/11/3218.htm +中國 + +// xn--lgbbat1ad8j ("Algeria / Al Jazair" Arabic) : DZ +الجزائر + +// xn--wgbh1c ("Egypt" Arabic .masr) : EG +// http://www.dotmasr.eg/ +مصر + +// xn--node ("ge" Georgian (Mkhedruli)) : GE +გე + +// xn--j6w193g ("Hong Kong" Chinese-Han) : HK +// https://www2.hkirc.hk/register/rules.jsp +香港 + +// xn--h2brj9c ("Bharat" Devanagari) : IN +// India +भारत + +// xn--mgbbh1a71e ("Bharat" Arabic) : IN +// India +بھارت + +// xn--fpcrj9c3d ("Bharat" Telugu) : IN +// India +భారత్ + +// xn--gecrj9c ("Bharat" Gujarati) : IN +// India +ભારત + +// xn--s9brj9c ("Bharat" Gurmukhi) : IN +// India +ਭਾਰਤ + +// xn--45brj9c ("Bharat" Bengali) : IN +// India +ভারত + +// xn--xkc2dl3a5ee0h ("India" Tamil) : IN +// India +இந்தியா + +// xn--mgba3a4f16a ("Iran" Persian) : IR +ایران + +// xn--mgba3a4fra ("Iran" Arabic) : IR +ايران + +// xn--mgbayh7gpa ("al-Ordon" Arabic) : JO +// National Information Technology Center (NITC) +// Royal Scientific Society, Al-Jubeiha +الاردن + +// xn--3e0b707e ("Republic of Korea" Hangul) : KR +한국 + +// xn--80ao21a ("Kaz" Kazakh) : KZ +қаз + +// xn--fzc2c9e2c ("Lanka" Sinhalese-Sinhala) : LK +// http://nic.lk +ලංකා + +// xn--xkc2al3hye2a ("Ilangai" Tamil) : LK +// http://nic.lk +இலங்கை + +// xn--mgbc0a9azcg ("Morocco / al-Maghrib" Arabic) : MA +المغرب + +// xn--l1acc ("mon" Mongolian) : MN +мон + +// xn--mgbx4cd0ab ("Malaysia" Malay) : MY +مليسيا + +// xn--mgb9awbf ("Oman" Arabic) : OM +عمان + +// xn--ygbi2ammx ("Falasteen" Arabic) : PS +// The Palestinian National Internet Naming Authority (PNINA) +// http://www.pnina.ps +فلسطين + +// xn--90a3ac ("srb" Cyrillic) : RS +// http://www.rnids.rs/en/the-.срб-domain +срб +пр.срб +орг.срб +обр.срб +од.срб +упр.срб +ак.срб + +// xn--p1ai ("rf" Russian-Cyrillic) : RU +// http://www.cctld.ru/en/docs/rulesrf.php +рф + +// xn--wgbl6a ("Qatar" Arabic) : QA +// http://www.ict.gov.qa/ +قطر + +// xn--mgberp4a5d4ar ("AlSaudiah" Arabic) : SA +// http://www.nic.net.sa/ +السعودية + +// xn--mgberp4a5d4a87g ("AlSaudiah" Arabic) variant : SA +السعودیة + +// xn--mgbqly7c0a67fbc ("AlSaudiah" Arabic) variant : SA +السعودیۃ + +// xn--mgbqly7cvafr ("AlSaudiah" Arabic) variant : SA +السعوديه + +// xn--ogbpf8fl ("Syria" Arabic) : SY +سورية + +// xn--mgbtf8fl ("Syria" Arabic) variant : SY +سوريا + +// xn--yfro4i67o Singapore ("Singapore" Chinese-Han) : SG +新加坡 + +// xn--clchc0ea0b2g2a9gcd ("Singapore" Tamil) : SG +சிங்கப்பூர் + +// xn--o3cw4h ("Thai" Thai) : TH +// http://www.thnic.co.th +ไทย + +// xn--pgbs0dh ("Tunis") : TN +// http://nic.tn +تونس + +// xn--kpry57d ("Taiwan" Chinese-Han-Traditional) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台灣 + +// xn--kprw13d ("Taiwan" Chinese-Han-Simplified) : TW +// http://www.twnic.net/english/dn/dn_07a.htm +台湾 + +// xn--nnx388a ("Taiwan") variant : TW +臺灣 + +// xn--j1amh ("ukr" Cyrillic) : UA +укр + +// xn--mgb2ddes ("AlYemen" Arabic) : YE +اليمن + +// xxx : http://icmregistry.com +xxx + +// ye : http://www.y.net.ye/services/domain_name.htm +*.ye + +// za : http://www.zadna.org.za/slds.html +*.za + +// zm : http://en.wikipedia.org/wiki/.zm +*.zm + +// zw : http://en.wikipedia.org/wiki/.zw +*.zw + + +// List of new gTLDs imported from https://newgtlds.icann.org/newgtlds.csv on 2015-01-27T00:02:07Z + +// abb : 2014-10-24 ABB Ltd +abb + +// abbott : 2014-07-24 Abbott Laboratories, Inc. +abbott + +// abogado : 2014-04-24 Top Level Domain Holdings Limited +abogado + +// academy : 2013-11-07 Half Oaks, LLC +academy + +// accenture : 2014-08-15 Accenture plc +accenture + +// accountant : 2014-11-20 dot Accountant Limited +accountant + +// accountants : 2014-03-20 Knob Town, LLC +accountants + +// aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG +aco + +// active : 2014-05-01 The Active Network, Inc +active + +// actor : 2013-12-12 United TLD Holdco Ltd. +actor + +// ads : 2014-12-04 Charleston Road Registry Inc. +ads + +// adult : 2014-10-16 ICM Registry AD LLC +adult + +// afl : 2014-10-02 Australian Football League +afl + +// africa : 2014-03-24 ZA Central Registry NPC trading as Registry.Africa +africa + +// agency : 2013-11-14 Steel Falls, LLC +agency + +// aig : 2014-12-18 American International Group, Inc. +aig + +// airforce : 2014-03-06 United TLD Holdco Ltd. +airforce + +// airtel : 2014-10-24 Bharti Airtel Limited +airtel + +// alibaba : 2015-01-15 Alibaba Group Holding Limited +alibaba + +// alipay : 2015-01-15 Alibaba Group Holding Limited +alipay + +// allfinanz : 2014-07-03 Allfinanz Deutsche Vermögensberatung Aktiengesellschaft +allfinanz + +// alsace : 2014-07-02 REGION D ALSACE +alsace + +// amsterdam : 2014-07-24 Gemeente Amsterdam +amsterdam + +// analytics : 2014-12-18 Campus IP LLC +analytics + +// android : 2014-08-07 Charleston Road Registry Inc. +android + +// anquan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +anquan + +// apartments : 2014-12-11 June Maple, LLC +apartments + +// aquarelle : 2014-07-24 Aquarelle.com +aquarelle + +// aramco : 2014-11-20 Aramco Services Company +aramco + +// archi : 2014-02-06 STARTING DOT LIMITED +archi + +// army : 2014-03-06 United TLD Holdco Ltd. +army + +// arte : 2014-12-11 Association Relative à la Télévision Européenne G.E.I.E. +arte + +// associates : 2014-03-06 Baxter Hill, LLC +associates + +// attorney : 2014-03-20 +attorney + +// auction : 2014-03-20 +auction + +// audio : 2014-03-20 Uniregistry, Corp. +audio + +// author : 2014-12-18 Amazon EU S.à r.l. +author + +// auto : 2014-11-13 Uniregistry, Corp. +auto + +// autos : 2014-01-09 DERAutos, LLC +autos + +// avianca : 2015-01-08 Aerovias del Continente Americano S.A. Avianca +avianca + +// axa : 2013-12-19 AXA SA +axa + +// azure : 2014-12-18 Microsoft Corporation +azure + +// baidu : 2015-01-08 Baidu, Inc. +baidu + +// band : 2014-06-12 +band + +// bank : 2014-09-25 fTLD Registry Services LLC +bank + +// bar : 2013-12-12 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +bar + +// barcelona : 2014-07-24 Municipi de Barcelona +barcelona + +// barclaycard : 2014-11-20 Barclays Bank PLC +barclaycard + +// barclays : 2014-11-20 Barclays Bank PLC +barclays + +// bargains : 2013-11-14 Half Hallow, LLC +bargains + +// bauhaus : 2014-04-17 Werkhaus GmbH +bauhaus + +// bayern : 2014-01-23 Bayern Connect GmbH +bayern + +// bbc : 2014-12-18 British Broadcasting Corporation +bbc + +// bbva : 2014-10-02 BANCO BILBAO VIZCAYA ARGENTARIA, S.A. +bbva + +// bcn : 2014-07-24 Municipi de Barcelona +bcn + +// beer : 2014-01-09 Top Level Domain Holdings Limited +beer + +// bentley : 2014-12-18 Bentley Motors Limited +bentley + +// berlin : 2013-10-31 dotBERLIN GmbH & Co. KG +berlin + +// best : 2013-12-19 BestTLD Pty Ltd +best + +// bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited +bharti + +// bible : 2014-06-19 American Bible Society +bible + +// bid : 2013-12-19 dot Bid Limited +bid + +// bike : 2013-08-27 Grand Hollow, LLC +bike + +// bing : 2014-12-18 Microsoft Corporation +bing + +// bingo : 2014-12-04 Sand Cedar, LLC +bingo + +// bio : 2014-03-06 STARTING DOT LIMITED +bio + +// black : 2014-01-16 Afilias Limited +black + +// blackfriday : 2014-01-16 Uniregistry, Corp. +blackfriday + +// bloomberg : 2014-07-17 Bloomberg IP Holdings LLC +bloomberg + +// blue : 2013-11-07 Afilias Limited +blue + +// bms : 2014-10-30 Bristol-Myers Squibb Company +bms + +// bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +bmw + +// bnl : 2014-07-24 Banca Nazionale del Lavoro +bnl + +// bnpparibas : 2014-05-29 BNP Paribas +bnpparibas + +// boats : 2014-12-04 DERBoats, LLC +boats + +// bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +bom + +// bond : 2014-06-05 Bond University Limited +bond + +// boo : 2014-01-30 Charleston Road Registry Inc. +boo + +// boots : 2015-01-08 THE BOOTS COMPANY PLC +boots + +// bot : 2014-12-18 Amazon EU S.à r.l. +bot + +// boutique : 2013-11-14 Over Galley, LLC +boutique + +// bradesco : 2014-12-18 Banco Bradesco S.A. +bradesco + +// bridgestone : 2014-12-18 Bridgestone Corporation +bridgestone + +// broadway : 2014-12-22 Celebrate Broadway, Inc. +broadway + +// broker : 2014-12-11 IG Group Holdings PLC +broker + +// brussels : 2014-02-06 DNS.be vzw +brussels + +// budapest : 2013-11-21 Top Level Domain Holdings Limited +budapest + +// build : 2013-11-07 Plan Bee LLC +build + +// builders : 2013-11-07 Atomic Madison, LLC +builders + +// business : 2013-11-07 Spring Cross, LLC +business + +// buy : 2014-12-18 Amazon EU S.à r.l. +buy + +// buzz : 2013-10-02 DOTSTRATEGY CO. +buzz + +// bzh : 2014-02-27 Association www.bzh +bzh + +// cab : 2013-10-24 Half Sunset, LLC +cab + +// cal : 2014-07-24 Charleston Road Registry Inc. +cal + +// call : 2014-12-18 Amazon EU S.à r.l. +call + +// camera : 2013-08-27 Atomic Maple, LLC +camera + +// camp : 2013-11-07 Delta Dynamite, LLC +camp + +// cancerresearch : 2014-05-15 Australian Cancer Research Foundation +cancerresearch + +// canon : 2014-09-12 Canon Inc. +canon + +// capetown : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +capetown + +// capital : 2014-03-06 Delta Mill, LLC +capital + +// car : 2015-01-22 Charleston Road Registry Inc. +car + +// caravan : 2013-12-12 Caravan International, Inc. +caravan + +// cards : 2013-12-05 Foggy Hollow, LLC +cards + +// care : 2014-03-06 Goose Cross +care + +// career : 2013-10-09 dotCareer LLC +career + +// careers : 2013-10-02 Wild Corner, LLC +careers + +// cars : 2014-11-13 Uniregistry, Corp. +cars + +// cartier : 2014-06-23 Richemont DNS Inc. +cartier + +// casa : 2013-11-21 Top Level Domain Holdings Limited +casa + +// cash : 2014-03-06 Delta Lake, LLC +cash + +// casino : 2014-12-18 Binky Sky, LLC +casino + +// catering : 2013-12-05 New Falls. LLC +catering + +// cba : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +cba + +// cbn : 2014-08-22 The Christian Broadcasting Network, Inc. +cbn + +// center : 2013-11-07 Tin Mill, LLC +center + +// ceo : 2013-11-07 CEOTLD Pty Ltd +ceo + +// cern : 2014-06-05 European Organization for Nuclear Research (\ +cern + +// cfa : 2014-08-28 CFA Institute +cfa + +// cfd : 2014-12-11 IG Group Holdings PLC +cfd + +// channel : 2014-05-08 Charleston Road Registry Inc. +channel + +// chat : 2014-12-04 Sand Fields, LLC +chat + +// cheap : 2013-11-14 Sand Cover, LLC +cheap + +// chloe : 2014-10-16 Richemont DNS Inc. +chloe + +// christmas : 2013-11-21 Uniregistry, Corp. +christmas + +// chrome : 2014-07-24 Charleston Road Registry Inc. +chrome + +// church : 2014-02-06 Holly Fileds, LLC +church + +// circle : 2014-12-18 Amazon EU S.à r.l. +circle + +// cisco : 2014-12-22 Cisco Technology, Inc. +cisco + +// citic : 2014-01-09 CITIC Group Corporation +citic + +// city : 2014-05-29 Snow Sky, LLC +city + +// cityeats : 2014-12-11 Lifestyle Domain Holdings, Inc. +cityeats + +// claims : 2014-03-20 Black Corner, LLC +claims + +// cleaning : 2013-12-05 Fox Shadow, LLC +cleaning + +// click : 2014-06-05 Uniregistry, Corp. +click + +// clinic : 2014-03-20 Goose Park, LLC +clinic + +// clothing : 2013-08-27 Steel Lake, LLC +clothing + +// club : 2013-11-08 .CLUB DOMAINS, LLC +club + +// coach : 2014-10-09 Koko Island, LLC +coach + +// codes : 2013-10-31 Puff Willow, LLC +codes + +// coffee : 2013-10-17 Trixy Cover, LLC +coffee + +// college : 2014-01-16 XYZ.COM LLC +college + +// cologne : 2014-02-05 NetCologne Gesellschaft für Telekommunikation mbH +cologne + +// commbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +commbank + +// community : 2013-12-05 Fox Orchard, LLC +community + +// company : 2013-11-07 Silver Avenue, LLC +company + +// computer : 2013-10-24 Pine Mill, LLC +computer + +// comsec : 2015-01-08 VeriSign, Inc. +comsec + +// condos : 2013-12-05 Pine House, LLC +condos + +// construction : 2013-09-16 Fox Dynamite, LLC +construction + +// consulting : 2013-12-05 +consulting + +// contact : 2015-01-08 Top Level Spectrum, Inc. +contact + +// contractors : 2013-09-10 Magic Woods, LLC +contractors + +// cooking : 2013-11-21 Top Level Domain Holdings Limited +cooking + +// cool : 2013-11-14 Koko Lake, LLC +cool + +// corsica : 2014-09-25 Collectivité Territoriale de Corse +corsica + +// country : 2013-12-19 Top Level Domain Holdings Limited +country + +// courses : 2014-12-04 OPEN UNIVERSITIES AUSTRALIA PTY LTD +courses + +// credit : 2014-03-20 Snow Shadow, LLC +credit + +// creditcard : 2014-03-20 Binky Frostbite, LLC +creditcard + +// creditunion : 2015-01-22 CUNA Performance Resources, LLC +creditunion + +// cricket : 2014-10-09 dot Cricket Limited +cricket + +// crown : 2014-10-24 Crown Equipment Corporation +crown + +// crs : 2014-04-03 Federated Co-operatives Limited +crs + +// cruises : 2013-12-05 Spring Way, LLC +cruises + +// csc : 2014-09-25 Alliance-One Services, Inc. +csc + +// cuisinella : 2014-04-03 SALM S.A.S. +cuisinella + +// cymru : 2014-05-08 Nominet UK +cymru + +// cyou : 2015-01-22 Beijing Gamease Age Digital Technology Co., Ltd. +cyou + +// dabur : 2014-02-06 Dabur India Limited +dabur + +// dad : 2014-01-23 Charleston Road Registry Inc. +dad + +// dance : 2013-10-24 United TLD Holdco Ltd. +dance + +// date : 2014-11-20 dot Date Limited +date + +// dating : 2013-12-05 Pine Fest, LLC +dating + +// datsun : 2014-03-27 NISSAN MOTOR CO., LTD. +datsun + +// day : 2014-01-30 Charleston Road Registry Inc. +day + +// dclk : 2014-11-20 Charleston Road Registry Inc. +dclk + +// dealer : 2014-12-22 Dealer Dot Com, Inc. +dealer + +// deals : 2014-05-22 Sand Sunset, LLC +deals + +// degree : 2014-03-06 +degree + +// delivery : 2014-09-11 Steel Station, LLC +delivery + +// dell : 2014-10-24 Dell Inc. +dell + +// democrat : 2013-10-24 United TLD Holdco Ltd. +democrat + +// dental : 2014-03-20 Tin Birch, LLC +dental + +// dentist : 2014-03-20 +dentist + +// desi : 2013-11-14 Desi Networks LLC +desi + +// design : 2014-11-07 Top Level Design, LLC +design + +// dev : 2014-10-16 Charleston Road Registry Inc. +dev + +// diamonds : 2013-09-22 John Edge, LLC +diamonds + +// diet : 2014-06-26 Uniregistry, Corp. +diet + +// digital : 2014-03-06 Dash Park, LLC +digital + +// direct : 2014-04-10 Half Trail, LLC +direct + +// directory : 2013-09-20 Extra Madison, LLC +directory + +// discount : 2014-03-06 Holly Hill, LLC +discount + +// dnp : 2013-12-13 Dai Nippon Printing Co., Ltd. +dnp + +// docs : 2014-10-16 Charleston Road Registry Inc. +docs + +// dog : 2014-12-04 Koko Mill, LLC +dog + +// doha : 2014-09-18 Communications Regulatory Authority (CRA) +doha + +// domains : 2013-10-17 Sugar Cross, LLC +domains + +// doosan : 2014-04-03 Doosan Corporation +doosan + +// download : 2014-11-20 dot Support Limited +download + +// dubai : 2015-01-01 Dubai Smart Government Department +dubai + +// durban : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +durban + +// dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +dvag + +// earth : 2014-12-04 Interlink Co., Ltd. +earth + +// eat : 2014-01-23 Charleston Road Registry Inc. +eat + +// edeka : 2014-12-18 EDEKA Verband kaufmännischer Genossenschaften e.V. +edeka + +// education : 2013-11-07 Brice Way, LLC +education + +// email : 2013-10-31 Spring Madison, LLC +email + +// emerck : 2014-04-03 Merck KGaA +emerck + +// energy : 2014-09-11 Binky Birch, LLC +energy + +// engineer : 2014-03-06 United TLD Holdco Ltd. +engineer + +// engineering : 2014-03-06 Romeo Canyon +engineering + +// enterprises : 2013-09-20 Snow Oaks, LLC +enterprises + +// epson : 2014-12-04 Seiko Epson Corporation +epson + +// equipment : 2013-08-27 Corn Station, LLC +equipment + +// erni : 2014-04-03 ERNI Group Holding AG +erni + +// esq : 2014-05-08 Charleston Road Registry Inc. +esq + +// estate : 2013-08-27 Trixy Park, LLC +estate + +// eurovision : 2014-04-24 European Broadcasting Union (EBU) +eurovision + +// eus : 2013-12-12 Puntueus Fundazioa +eus + +// events : 2013-12-05 Pioneer Maple, LLC +events + +// everbank : 2014-05-15 EverBank +everbank + +// exchange : 2014-03-06 Spring Falls, LLC +exchange + +// expert : 2013-11-21 Magic Pass, LLC +expert + +// exposed : 2013-12-05 Victor Beach, LLC +exposed + +// fage : 2014-12-18 Fage International S.A. +fage + +// fail : 2014-03-06 Atomic Pipe, LLC +fail + +// fairwinds : 2014-11-13 FairWinds Partners, LLC +fairwinds + +// faith : 2014-11-20 dot Faith Limited +faith + +// fan : 2014-03-06 +fan + +// fans : 2014-11-07 Asiamix Digital Limited +fans + +// farm : 2013-11-07 Just Maple, LLC +farm + +// fashion : 2014-07-03 Top Level Domain Holdings Limited +fashion + +// fast : 2014-12-18 Amazon EU S.à r.l. +fast + +// feedback : 2013-12-19 Top Level Spectrum, Inc. +feedback + +// ferrero : 2014-12-18 Ferrero Trading Lux S.A. +ferrero + +// film : 2015-01-08 Motion Picture Domain Registry Pty Ltd +film + +// final : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br +final + +// finance : 2014-03-20 Cotton Cypress, LLC +finance + +// financial : 2014-03-06 Just Cover, LLC +financial + +// firestone : 2014-12-18 Bridgestone Corporation +firestone + +// firmdale : 2014-03-27 Firmdale Holdings Limited +firmdale + +// fish : 2013-12-12 Fox Woods, LLC +fish + +// fishing : 2013-11-21 Top Level Domain Holdings Limited +fishing + +// fit : 2014-11-07 Top Level Domain Holdings Limited +fit + +// fitness : 2014-03-06 Brice Orchard, LLC +fitness + +// flights : 2013-12-05 Fox Station, LLC +flights + +// florist : 2013-11-07 Half Cypress, LLC +florist + +// flowers : 2014-10-09 Uniregistry, Corp. +flowers + +// flsmidth : 2014-07-24 FLSmidth A/S +flsmidth + +// fly : 2014-05-08 Charleston Road Registry Inc. +fly + +// foo : 2014-01-23 Charleston Road Registry Inc. +foo + +// football : 2014-12-18 Foggy Farms, LLC +football + +// ford : 2014-11-13 Ford Motor Company +ford + +// forex : 2014-12-11 IG Group Holdings PLC +forex + +// forsale : 2014-05-22 +forsale + +// foundation : 2013-12-05 John Dale, LLC +foundation + +// frl : 2014-05-15 FRLregistry B.V. +frl + +// frogans : 2013-12-19 OP3FT +frogans + +// fund : 2014-03-20 John Castle, LLC +fund + +// furniture : 2014-03-20 Lone Fields, LLC +furniture + +// futbol : 2013-09-20 +futbol + +// gal : 2013-11-07 Asociación puntoGAL +gal + +// gallery : 2013-09-13 Sugar House, LLC +gallery + +// garden : 2014-06-26 Top Level Domain Holdings Limited +garden + +// gbiz : 2014-07-17 Charleston Road Registry Inc. +gbiz + +// gdn : 2014-07-31 Joint Stock Company \ +gdn + +// gea : 2014-12-04 GEA Group Aktiengesellschaft +gea + +// gent : 2014-01-23 COMBELL GROUP NV/SA +gent + +// ggee : 2014-01-09 GMO Internet, Inc. +ggee + +// gift : 2013-10-17 Uniregistry, Corp. +gift + +// gifts : 2014-07-03 Goose Sky, LLC +gifts + +// gives : 2014-03-06 United TLD Holdco Ltd. +gives + +// giving : 2014-11-13 Giving Limited +giving + +// glass : 2013-11-07 Black Cover, LLC +glass + +// gle : 2014-07-24 Charleston Road Registry Inc. +gle + +// global : 2014-04-17 Dot GLOBAL AS +global + +// globo : 2013-12-19 Globo Comunicação e Participações S.A +globo + +// gmail : 2014-05-01 Charleston Road Registry Inc. +gmail + +// gmo : 2014-01-09 GMO Internet, Inc. +gmo + +// gmx : 2014-04-24 1&1 Mail & Media GmbH +gmx + +// gold : 2015-01-22 June Edge, LLC +gold + +// goldpoint : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +goldpoint + +// golf : 2014-12-18 Lone falls, LLC +golf + +// goo : 2014-12-18 NTT Resonant Inc. +goo + +// goog : 2014-11-20 Charleston Road Registry Inc. +goog + +// google : 2014-07-24 Charleston Road Registry Inc. +google + +// gop : 2014-01-16 Republican State Leadership Committee, Inc. +gop + +// got : 2014-12-18 Amazon EU S.à r.l. +got + +// graphics : 2013-09-13 Over Madison, LLC +graphics + +// gratis : 2014-03-20 Pioneer Tigers, LLC +gratis + +// green : 2014-05-08 Afilias Limited +green + +// gripe : 2014-03-06 Corn Sunset, LLC +gripe + +// group : 2014-08-15 Romeo Town, LLC +group + +// gucci : 2014-11-13 Guccio Gucci S.p.a. +gucci + +// guge : 2014-08-28 Charleston Road Registry Inc. +guge + +// guide : 2013-09-13 Snow Moon, LLC +guide + +// guitars : 2013-11-14 Uniregistry, Corp. +guitars + +// guru : 2013-08-27 Pioneer Cypress, LLC +guru + +// hamburg : 2014-02-20 Hamburg Top-Level-Domain GmbH +hamburg + +// hangout : 2014-11-13 Charleston Road Registry Inc. +hangout + +// haus : 2013-12-05 +haus + +// healthcare : 2014-06-12 Silver Glen, LLC +healthcare + +// help : 2014-06-26 Uniregistry, Corp. +help + +// here : 2014-02-06 Charleston Road Registry Inc. +here + +// hermes : 2014-07-10 HERMES INTERNATIONAL +hermes + +// hiphop : 2014-03-06 Uniregistry, Corp. +hiphop + +// hitachi : 2014-10-31 Hitachi, Ltd. +hitachi + +// hiv : 2014-03-13 dotHIV gemeinnuetziger e.V. +hiv + +// holdings : 2013-08-27 John Madison, LLC +holdings + +// holiday : 2013-11-07 Goose Woods, LLC +holiday + +// homes : 2014-01-09 DERHomes, LLC +homes + +// honda : 2014-12-18 Honda Motor Co., Ltd. +honda + +// horse : 2013-11-21 Top Level Domain Holdings Limited +horse + +// host : 2014-04-17 DotHost Inc. +host + +// hosting : 2014-05-29 Uniregistry, Corp. +hosting + +// hotmail : 2014-12-18 Microsoft Corporation +hotmail + +// house : 2013-11-07 Sugar Park, LLC +house + +// how : 2014-01-23 Charleston Road Registry Inc. +how + +// hsbc : 2014-10-24 HSBC Holdings PLC +hsbc + +// ibm : 2014-07-31 International Business Machines Corporation +ibm + +// ice : 2014-10-30 IntercontinentalExchange, Inc. +ice + +// icu : 2015-01-08 One.com A/S +icu + +// ifm : 2014-01-30 ifm electronic gmbh +ifm + +// iinet : 2014-07-03 Connect West Pty. Ltd. +iinet + +// immo : 2014-07-10 Auburn Bloom, LLC +immo + +// immobilien : 2013-11-07 United TLD Holdco Ltd. +immobilien + +// industries : 2013-12-05 Outer House, LLC +industries + +// infiniti : 2014-03-27 NISSAN MOTOR CO., LTD. +infiniti + +// ing : 2014-01-23 Charleston Road Registry Inc. +ing + +// ink : 2013-12-05 Top Level Design, LLC +ink + +// institute : 2013-11-07 Outer Maple, LLC +institute + +// insure : 2014-03-20 Pioneer Willow, LLC +insure + +// international : 2013-11-07 Wild Way, LLC +international + +// investments : 2014-03-20 Holly Glen, LLC +investments + +// ipiranga : 2014-08-28 Ipiranga Produtos de Petroleo S.A. +ipiranga + +// irish : 2014-08-07 Dot-Irish LLC +irish + +// ist : 2014-08-28 Istanbul Metropolitan Municipality +ist + +// istanbul : 2014-08-28 Istanbul Metropolitan Municipality +istanbul + +// itau : 2014-10-02 Itau Unibanco Holding S.A. +itau + +// iwc : 2014-06-23 Richemont DNS Inc. +iwc + +// jaguar : 2014-11-13 Jaguar Land Rover Ltd +jaguar + +// java : 2014-06-19 Oracle Corporation +java + +// jcb : 2014-11-20 JCB Co., Ltd. +jcb + +// jetzt : 2014-01-09 New TLD Company AB +jetzt + +// jlc : 2014-12-04 Richemont DNS Inc. +jlc + +// joburg : 2014-03-24 ZA Central Registry NPC trading as ZA Central Registry +joburg + +// jot : 2014-12-18 Amazon EU S.à r.l. +jot + +// joy : 2014-12-18 Amazon EU S.à r.l. +joy + +// jprs : 2014-09-18 Japan Registry Services Co., Ltd. +jprs + +// juegos : 2014-03-20 Uniregistry, Corp. +juegos + +// kaufen : 2013-11-07 United TLD Holdco Ltd. +kaufen + +// kddi : 2014-09-12 KDDI CORPORATION +kddi + +// kfh : 2014-12-04 Kuwait Finance House +kfh + +// kim : 2013-09-23 Afilias Limited +kim + +// kinder : 2014-11-07 Ferrero Trading Lux S.A. +kinder + +// kitchen : 2013-09-20 Just Goodbye, LLC +kitchen + +// kiwi : 2013-09-20 DOT KIWI LIMITED +kiwi + +// koeln : 2014-01-09 NetCologne Gesellschaft für Telekommunikation mbH +koeln + +// komatsu : 2015-01-08 Komatsu Ltd. +komatsu + +// kpn : 2015-01-08 Koninklijke KPN N.V. +kpn + +// krd : 2013-12-05 KRG Department of Information Technology +krd + +// kred : 2013-12-19 KredTLD Pty Ltd +kred + +// kyoto : 2014-11-07 Academic Institution: Kyoto Jyoho Gakuen +kyoto + +// lacaixa : 2014-01-09 CAIXA D'ESTALVIS I PENSIONS DE BARCELONA +lacaixa + +// land : 2013-09-10 Pine Moon, LLC +land + +// landrover : 2014-11-13 Jaguar Land Rover Ltd +landrover + +// lat : 2014-10-16 ECOM-LAC Federaciòn de Latinoamèrica y el Caribe para Internet y el Comercio Electrònico +lat + +// latrobe : 2014-06-16 La Trobe University +latrobe + +// law : 2015-01-22 Minds + Machines Group Limited +law + +// lawyer : 2014-03-20 +lawyer + +// lds : 2014-03-20 IRI Domain Management, LLC (\ +lds + +// lease : 2014-03-06 Victor Trail, LLC +lease + +// leclerc : 2014-08-07 A.C.D. LEC Association des Centres Distributeurs Edouard Leclerc +leclerc + +// legal : 2014-10-16 Blue Falls, LLC +legal + +// lgbt : 2014-05-08 Afilias Limited +lgbt + +// liaison : 2014-10-02 Liaison Technologies, Incorporated +liaison + +// lidl : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +lidl + +// life : 2014-02-06 Trixy Oaks, LLC +life + +// lifeinsurance : 2015-01-15 American Council of Life Insurers +lifeinsurance + +// lifestyle : 2014-12-11 Lifestyle Domain Holdings, Inc. +lifestyle + +// lighting : 2013-08-27 John McCook, LLC +lighting + +// like : 2014-12-18 Amazon EU S.à r.l. +like + +// limited : 2014-03-06 Big Fest, LLC +limited + +// limo : 2013-10-17 Hidden Frostbite, LLC +limo + +// lincoln : 2014-11-13 Ford Motor Company +lincoln + +// linde : 2014-12-04 Linde Aktiengesellschaft +linde + +// link : 2013-11-14 Uniregistry, Corp. +link + +// live : 2014-12-04 Half Woods, LLC +live + +// loan : 2014-11-20 dot Loan Limited +loan + +// loans : 2014-03-20 June Woods, LLC +loans + +// london : 2013-11-14 Dot London Domains Limited +london + +// lotte : 2014-11-07 Lotte Holdings Co., Ltd. +lotte + +// lotto : 2014-04-10 Afilias Limited +lotto + +// love : 2014-12-22 Merchant Law Group LLP +love + +// ltd : 2014-09-25 Over Corner, LLC +ltd + +// ltda : 2014-04-17 DOMAIN ROBOT SERVICOS DE HOSPEDAGEM NA INTERNET LTDA +ltda + +// lupin : 2014-11-07 LUPIN LIMITED +lupin + +// luxe : 2014-01-09 Top Level Domain Holdings Limited +luxe + +// luxury : 2013-10-17 Luxury Partners, LLC +luxury + +// madrid : 2014-05-01 Comunidad de Madrid +madrid + +// maif : 2014-10-02 Mutuelle Assurance Instituteur France (MAIF) +maif + +// maison : 2013-12-05 Victor Frostbite, LLC +maison + +// makeup : 2015-01-15 L'Oréal +makeup + +// man : 2014-12-04 MAN SE +man + +// management : 2013-11-07 John Goodbye, LLC +management + +// mango : 2013-10-24 PUNTO FA S.L. +mango + +// market : 2014-03-06 +market + +// marketing : 2013-11-07 Fern Pass, LLC +marketing + +// markets : 2014-12-11 IG Group Holdings PLC +markets + +// marriott : 2014-10-09 Marriott Worldwide Corporation +marriott + +// media : 2014-03-06 Grand Glen, LLC +media + +// meet : 2014-01-16 Afilias Limited +meet + +// melbourne : 2014-05-29 The Crown in right of the State of Victoria, represented by its Department of State Development, Business and Innovation +melbourne + +// meme : 2014-01-30 Charleston Road Registry Inc. +meme + +// memorial : 2014-10-16 Dog Beach, LLC +memorial + +// menu : 2013-09-11 Wedding TLD2, LLC +menu + +// meo : 2014-11-07 PT Comunicacoes S.A. +meo + +// miami : 2013-12-19 Top Level Domain Holdings Limited +miami + +// microsoft : 2014-12-18 Microsoft Corporation +microsoft + +// mini : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft +mini + +// mma : 2014-11-07 MMA IARD +mma + +// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L. +mobily + +// moda : 2013-11-07 United TLD Holdco Ltd. +moda + +// moe : 2013-11-13 Interlink Co., Ltd. +moe + +// moi : 2014-12-18 Amazon EU S.à r.l. +moi + +// monash : 2013-09-30 Monash University +monash + +// money : 2014-10-16 Outer McCook, LLC +money + +// montblanc : 2014-06-23 Richemont DNS Inc. +montblanc + +// mormon : 2013-12-05 IRI Domain Management, LLC (\ +mormon + +// mortgage : 2014-03-20 +mortgage + +// moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +moscow + +// motorcycles : 2014-01-09 DERMotorcycles, LLC +motorcycles + +// mov : 2014-01-30 Charleston Road Registry Inc. +mov + +// movistar : 2014-10-16 Telefónica S.A. +movistar + +// mtn : 2014-12-04 MTN Dubai Limited +mtn + +// mtpc : 2014-11-20 Mitsubishi Tanabe Pharma Corporation +mtpc + +// nadex : 2014-12-11 IG Group Holdings PLC +nadex + +// nagoya : 2013-10-24 GMO Registry, Inc. +nagoya + +// navy : 2014-03-06 United TLD Holdco Ltd. +navy + +// nec : 2015-01-08 NEC Corporation +nec + +// netbank : 2014-06-26 COMMONWEALTH BANK OF AUSTRALIA +netbank + +// network : 2013-11-14 Trixy Manor, LLC +network + +// neustar : 2013-12-05 NeuStar, Inc. +neustar + +// new : 2014-01-30 Charleston Road Registry Inc. +new + +// news : 2014-12-18 Hidden Bloom, LLC +news + +// nexus : 2014-07-24 Charleston Road Registry Inc. +nexus + +// ngo : 2014-03-06 Public Interest Registry +ngo + +// nhk : 2014-02-13 Japan Broadcasting Corporation (NHK) +nhk + +// nico : 2014-12-04 DWANGO Co., Ltd. +nico + +// ninja : 2013-11-07 United TLD Holdco Ltd. +ninja + +// nissan : 2014-03-27 NISSAN MOTOR CO., LTD. +nissan + +// nokia : 2015-01-08 Nokia Corporation +nokia + +// norton : 2014-12-04 Symantec Corporation +norton + +// nowruz : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +nowruz + +// nra : 2014-05-22 NRA Holdings Company, INC. +nra + +// nrw : 2013-11-21 Minds + Machines GmbH +nrw + +// ntt : 2014-10-31 NIPPON TELEGRAPH AND TELEPHONE CORPORATION +ntt + +// nyc : 2014-01-23 The City of New York by and through the New York City Department of Information Technology & Telecommunications +nyc + +// obi : 2014-09-25 OBI Group Holding SE & Co. KGaA +obi + +// okinawa : 2013-12-05 BusinessRalliart Inc. +okinawa + +// omega : 2015-01-08 The Swatch Group Ltd +omega + +// one : 2014-11-07 One.com A/S +one + +// ong : 2014-03-06 Public Interest Registry +ong + +// onl : 2013-09-16 I-Registry Ltd. +onl + +// online : 2015-01-15 DotOnline Inc. +online + +// ooo : 2014-01-09 INFIBEAM INCORPORATION LIMITED +ooo + +// oracle : 2014-06-19 Oracle Corporation +oracle + +// organic : 2014-03-27 Afilias Limited +organic + +// osaka : 2014-09-04 Interlink Co., Ltd. +osaka + +// otsuka : 2013-10-11 Otsuka Holdings Co., Ltd. +otsuka + +// ovh : 2014-01-16 OVH SAS +ovh + +// page : 2014-12-04 Charleston Road Registry Inc. +page + +// panerai : 2014-11-07 Richemont DNS Inc. +panerai + +// paris : 2014-01-30 City of Paris +paris + +// pars : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +pars + +// partners : 2013-12-05 Magic Glen, LLC +partners + +// parts : 2013-12-05 Sea Goodbye, LLC +parts + +// party : 2014-09-11 Blue Sky Registry Limited +party + +// pharmacy : 2014-06-19 National Association of Boards of Pharmacy +pharmacy + +// philips : 2014-11-07 Koninklijke Philips N.V. +philips + +// photo : 2013-11-14 Uniregistry, Corp. +photo + +// photography : 2013-09-20 Sugar Glen, LLC +photography + +// photos : 2013-10-17 Sea Corner, LLC +photos + +// physio : 2014-05-01 PhysBiz Pty Ltd +physio + +// piaget : 2014-10-16 Richemont DNS Inc. +piaget + +// pics : 2013-11-14 Uniregistry, Corp. +pics + +// pictet : 2014-06-26 Pictet Europe S.A. +pictet + +// pictures : 2014-03-06 Foggy Sky, LLC +pictures + +// pid : 2015-01-08 Top Level Spectrum, Inc. +pid + +// pin : 2014-12-18 Amazon EU S.à r.l. +pin + +// pink : 2013-10-01 Afilias Limited +pink + +// pizza : 2014-06-26 Foggy Moon, LLC +pizza + +// place : 2014-04-24 Snow Galley, LLC +place + +// plumbing : 2013-09-10 Spring Tigers, LLC +plumbing + +// pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +pohl + +// poker : 2014-07-03 Afilias Domains No. 5 Limited +poker + +// porn : 2014-10-16 ICM Registry PN LLC +porn + +// praxi : 2013-12-05 Praxi S.p.A. +praxi + +// press : 2014-04-03 DotPress Inc. +press + +// prod : 2014-01-23 Charleston Road Registry Inc. +prod + +// productions : 2013-12-05 Magic Birch, LLC +productions + +// prof : 2014-07-24 Charleston Road Registry Inc. +prof + +// promo : 2014-12-18 Play.PROMO Oy +promo + +// properties : 2013-12-05 Big Pass, LLC +properties + +// property : 2014-05-22 Uniregistry, Corp. +property + +// pub : 2013-12-12 United TLD Holdco Ltd. +pub + +// qpon : 2013-11-14 dotCOOL, Inc. +qpon + +// quebec : 2013-12-19 PointQuébec Inc +quebec + +// racing : 2014-12-04 Premier Registry Limited +racing + +// read : 2014-12-18 Amazon EU S.à r.l. +read + +// realtor : 2014-05-29 Real Estate Domains LLC +realtor + +// recipes : 2013-10-17 Grand Island, LLC +recipes + +// red : 2013-11-07 Afilias Limited +red + +// redstone : 2014-10-31 Redstone Haute Couture Co., Ltd. +redstone + +// rehab : 2014-03-06 United TLD Holdco Ltd. +rehab + +// reise : 2014-03-13 dotreise GmbH +reise + +// reisen : 2014-03-06 New Cypress, LLC +reisen + +// reit : 2014-09-04 National Association of Real Estate Investment Trusts, Inc. +reit + +// ren : 2013-12-12 Beijing Qianxiang Wangjing Technology Development Co., Ltd. +ren + +// rent : 2014-12-04 DERRent, LLC +rent + +// rentals : 2013-12-05 Big Hollow,LLC +rentals + +// repair : 2013-11-07 Lone Sunset, LLC +repair + +// report : 2013-12-05 Binky Glen, LLC +report + +// republican : 2014-03-20 United TLD Holdco Ltd. +republican + +// rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable +rest + +// restaurant : 2014-07-03 Snow Avenue, LLC +restaurant + +// review : 2014-11-20 dot Review Limited +review + +// reviews : 2013-09-13 +reviews + +// rich : 2013-11-21 I-Registry Ltd. +rich + +// ricoh : 2014-11-20 Ricoh Company, Ltd. +ricoh + +// rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO +rio + +// rip : 2014-07-10 United TLD Holdco Ltd. +rip + +// rocher : 2014-12-18 Ferrero Trading Lux S.A. +rocher + +// rocks : 2013-11-14 +rocks + +// rodeo : 2013-12-19 Top Level Domain Holdings Limited +rodeo + +// room : 2014-12-18 Amazon EU S.à r.l. +room + +// rsvp : 2014-05-08 Charleston Road Registry Inc. +rsvp + +// ruhr : 2013-10-02 regiodot GmbH & Co. KG +ruhr + +// ryukyu : 2014-01-09 BusinessRalliart Inc. +ryukyu + +// saarland : 2013-12-12 dotSaarland GmbH +saarland + +// safe : 2014-12-18 Amazon EU S.à r.l. +safe + +// safety : 2015-01-08 Safety Registry Services, LLC. +safety + +// sakura : 2014-12-18 SAKURA Internet Inc. +sakura + +// sale : 2014-10-16 +sale + +// salon : 2014-12-11 Outer Orchard, LLC +salon + +// samsung : 2014-04-03 SAMSUNG SDS CO., LTD +samsung + +// sandvik : 2014-11-13 Sandvik AB +sandvik + +// sandvikcoromant : 2014-11-07 Sandvik AB +sandvikcoromant + +// sanofi : 2014-10-09 Sanofi +sanofi + +// sap : 2014-03-27 SAP AG +sap + +// sapo : 2014-11-07 PT Comunicacoes S.A. +sapo + +// sarl : 2014-07-03 Delta Orchard, LLC +sarl + +// saxo : 2014-10-31 Saxo Bank A/S +saxo + +// sbs : 2014-11-07 SPECIAL BROADCASTING SERVICE CORPORATION +sbs + +// sca : 2014-03-13 SVENSKA CELLULOSA AKTIEBOLAGET SCA (publ) +sca + +// scb : 2014-02-20 The Siam Commercial Bank Public Company Limited (\ +scb + +// schmidt : 2014-04-03 SALM S.A.S. +schmidt + +// scholarships : 2014-04-24 Scholarships.com, LLC +scholarships + +// school : 2014-12-18 Little Galley, LLC +school + +// schule : 2014-03-06 Outer Moon, LLC +schule + +// schwarz : 2014-09-18 Schwarz Domains und Services GmbH & Co. KG +schwarz + +// science : 2014-09-11 dot Science Limited +science + +// scor : 2014-10-31 SCOR SE +scor + +// scot : 2014-01-23 Dot Scot Registry Limited +scot + +// seat : 2014-05-22 SEAT, S.A. (Sociedad Unipersonal) +seat + +// seek : 2014-12-04 Seek Limited +seek + +// sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A. +sener + +// services : 2014-02-27 Fox Castle, LLC +services + +// sew : 2014-07-17 SEW-EURODRIVE GmbH & Co KG +sew + +// sex : 2014-11-13 ICM Registry SX LLC +sex + +// sexy : 2013-09-11 Uniregistry, Corp. +sexy + +// sharp : 2014-05-01 Sharp Corporation +sharp + +// shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +shia + +// shiksha : 2013-11-14 Afilias Limited +shiksha + +// shoes : 2013-10-02 Binky Galley, LLC +shoes + +// shouji : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +shouji + +// shriram : 2014-01-23 Shriram Capital Ltd. +shriram + +// singles : 2013-08-27 Fern Madison, LLC +singles + +// site : 2015-01-15 DotSite Inc. +site + +// skin : 2015-01-15 L'Oréal +skin + +// sky : 2014-06-19 Sky IP International Ltd, a company incorporated in England and Wales, operating via its registered Swiss branch +sky + +// skype : 2014-12-18 Microsoft Corporation +skype + +// smile : 2014-12-18 Amazon EU S.à r.l. +smile + +// social : 2013-11-07 United TLD Holdco Ltd. +social + +// software : 2014-03-20 +software + +// sohu : 2013-12-19 Sohu.com Limited +sohu + +// solar : 2013-11-07 Ruby Town, LLC +solar + +// solutions : 2013-11-07 Silver Cover, LLC +solutions + +// sony : 2015-01-08 Sony Corporation +sony + +// soy : 2014-01-23 Charleston Road Registry Inc. +soy + +// space : 2014-04-03 DotSpace Inc. +space + +// spiegel : 2014-02-05 SPIEGEL-Verlag Rudolf Augstein GmbH & Co. KG +spiegel + +// spreadbetting : 2014-12-11 IG Group Holdings PLC +spreadbetting + +// stada : 2014-11-13 STADA Arzneimittel AG +stada + +// star : 2015-01-08 Star India Private Limited +star + +// statoil : 2014-12-04 Statoil ASA +statoil + +// stc : 2014-10-09 Saudi Telecom Company +stc + +// stcgroup : 2014-10-09 Saudi Telecom Company +stcgroup + +// stockholm : 2014-12-18 Stockholms kommun +stockholm + +// storage : 2014-12-22 Self Storage Company LLC +storage + +// study : 2014-12-11 OPEN UNIVERSITIES AUSTRALIA PTY LTD +study + +// style : 2014-12-04 Binky Moon, LLC +style + +// sucks : 2014-12-22 Vox Populi Registry Inc. +sucks + +// supplies : 2013-12-19 Atomic Fields, LLC +supplies + +// supply : 2013-12-19 Half Falls, LLC +supply + +// support : 2013-10-24 Grand Orchard, LLC +support + +// surf : 2014-01-09 Top Level Domain Holdings Limited +surf + +// surgery : 2014-03-20 Tin Avenue, LLC +surgery + +// suzuki : 2014-02-20 SUZUKI MOTOR CORPORATION +suzuki + +// swatch : 2015-01-08 The Swatch Group Ltd +swatch + +// swiss : 2014-10-16 Swiss Confederation +swiss + +// sydney : 2014-09-18 State of New South Wales, Department of Premier and Cabinet +sydney + +// symantec : 2014-12-04 Symantec Corporation +symantec + +// systems : 2013-11-07 Dash Cypress, LLC +systems + +// tab : 2014-12-04 Tabcorp Holdings Limited +tab + +// taipei : 2014-07-10 Taipei City Government +taipei + +// taobao : 2015-01-15 Alibaba Group Holding Limited +taobao + +// tatar : 2014-04-24 Limited Liability Company \ +tatar + +// tattoo : 2013-08-30 Uniregistry, Corp. +tattoo + +// tax : 2014-03-20 Storm Orchard, LLC +tax + +// tci : 2014-09-12 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +tci + +// technology : 2013-09-13 Auburn Falls +technology + +// telefonica : 2014-10-16 Telefónica S.A. +telefonica + +// temasek : 2014-08-07 Temasek Holdings (Private) Limited +temasek + +// tennis : 2014-12-04 Cotton Bloom, LLC +tennis + +// tienda : 2013-11-14 Victor Manor, LLC +tienda + +// tips : 2013-09-20 Corn Willow, LLC +tips + +// tires : 2014-11-07 Dog Edge, LLC +tires + +// tirol : 2014-04-24 punkt Tirol GmbH +tirol + +// tmall : 2015-01-15 Alibaba Group Holding Limited +tmall + +// today : 2013-09-20 Pearl Woods, LLC +today + +// tokyo : 2013-11-13 GMO Registry, Inc. +tokyo + +// tools : 2013-11-21 Pioneer North, LLC +tools + +// top : 2014-03-20 Jiangsu Bangning Science & Technology Co.,Ltd. +top + +// toray : 2014-12-18 Toray Industries, Inc. +toray + +// toshiba : 2014-04-10 TOSHIBA Corporation +toshiba + +// tours : 2015-01-22 Sugar Station, LLC +tours + +// town : 2014-03-06 Koko Moon, LLC +town + +// toys : 2014-03-06 Pioneer Orchard, LLC +toys + +// trade : 2014-01-23 Elite Registry Limited +trade + +// trading : 2014-12-11 IG Group Holdings PLC +trading + +// training : 2013-11-07 Wild Willow, LLC +training + +// trust : 2014-10-16 +trust + +// tui : 2014-07-03 TUI AG +tui + +// tushu : 2014-12-18 Amazon EU S.à r.l. +tushu + +// ubs : 2014-12-11 UBS AG +ubs + +// university : 2014-03-06 Little Station, LLC +university + +// uno : 2013-09-11 Dot Latin LLC +uno + +// uol : 2014-05-01 UBN INTERNET LTDA. +uol + +// vacations : 2013-12-05 Atomic Tigers, LLC +vacations + +// vana : 2014-12-11 Lifestyle Domain Holdings, Inc. +vana + +// vegas : 2014-01-16 Dot Vegas, Inc. +vegas + +// ventures : 2013-08-27 Binky Lake, LLC +ventures + +// versicherung : 2014-03-20 dotversicherung-registry GmbH +versicherung + +// vet : 2014-03-06 +vet + +// viajes : 2013-10-17 Black Madison, LLC +viajes + +// video : 2014-10-16 +video + +// villas : 2013-12-05 New Sky, LLC +villas + +// vip : 2015-01-22 Minds + Machines Group Limited +vip + +// virgin : 2014-09-25 Virgin Enterprises Limited +virgin + +// vision : 2013-12-05 Koko Station, LLC +vision + +// vista : 2014-09-18 Vistaprint Limited +vista + +// vistaprint : 2014-09-18 Vistaprint Limited +vistaprint + +// viva : 2014-11-07 Saudi Telecom Company +viva + +// vlaanderen : 2014-02-06 DNS.be vzw +vlaanderen + +// vodka : 2013-12-19 Top Level Domain Holdings Limited +vodka + +// vote : 2013-11-21 Monolith Registry LLC +vote + +// voting : 2013-11-13 Valuetainment Corp. +voting + +// voto : 2013-11-21 Monolith Registry LLC +voto + +// voyage : 2013-08-27 Ruby House, LLC +voyage + +// wales : 2014-05-08 Nominet UK +wales + +// walter : 2014-11-13 Sandvik AB +walter + +// wang : 2013-10-24 Zodiac Leo Limited +wang + +// wanggou : 2014-12-18 Amazon EU S.à r.l. +wanggou + +// watch : 2013-11-14 Sand Shadow, LLC +watch + +// watches : 2014-12-22 Richemont DNS Inc. +watches + +// weather : 2015-01-08 The Weather Channel, LLC +weather + +// webcam : 2014-01-23 dot Webcam Limited +webcam + +// website : 2014-04-03 DotWebsite Inc. +website + +// wed : 2013-10-01 Atgron, Inc. +wed + +// wedding : 2014-04-24 Top Level Domain Holdings Limited +wedding + +// whoswho : 2014-02-20 Who's Who Registry +whoswho + +// wien : 2013-10-28 punkt.wien GmbH +wien + +// wiki : 2013-11-07 Top Level Design, LLC +wiki + +// williamhill : 2014-03-13 William Hill Organization Limited +williamhill + +// win : 2014-11-20 First Registry Limited +win + +// windows : 2014-12-18 Microsoft Corporation +windows + +// wme : 2014-02-13 William Morris Endeavor Entertainment, LLC +wme + +// work : 2013-12-19 Top Level Domain Holdings Limited +work + +// works : 2013-11-14 Little Dynamite, LLC +works + +// world : 2014-06-12 Bitter Fields, LLC +world + +// wtc : 2013-12-19 World Trade Centers Association, Inc. +wtc + +// wtf : 2014-03-06 Hidden Way, LLC +wtf + +// xbox : 2014-12-18 Microsoft Corporation +xbox + +// xerox : 2014-10-24 Xerox DNHC LLC +xerox + +// xihuan : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +xihuan + +// xin : 2014-12-11 Elegant Leader Limited +xin + +// xn--11b4c3d : 2015-01-15 VeriSign Sarl +कॉम + +// xn--1qqw23a : 2014-01-09 Guangzhou YU Wei Information Technology Co., Ltd. +佛山 + +// xn--30rr7y : 2014-06-12 Excellent First Limited +慈善 + +// xn--3bst00m : 2013-09-13 Eagle Horizon Limited +集团 + +// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED +在线 + +// xn--3pxu8k : 2015-01-15 VeriSign Sarl +点看 + +// xn--42c2d9a : 2015-01-15 VeriSign Sarl +คอม + +// xn--45q11c : 2013-11-21 Zodiac Scorpio Limited +八卦 + +// xn--4gbrim : 2013-10-04 Suhub Electronic Establishment +موقع + +// xn--55qw42g : 2013-11-08 China Organizational Name Administration Center +公益 + +// xn--55qx5d : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +公司 + +// xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited +网站 + +// xn--6frz82g : 2013-09-23 Afilias Limited +移动 + +// xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited +我爱你 + +// xn--80adxhks : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID) +москва + +// xn--80asehdb : 2013-07-14 CORE Association +онлайн + +// xn--80aswg : 2013-07-14 CORE Association +сайт + +// xn--9dbq2a : 2015-01-15 VeriSign Sarl +קום + +// xn--9et52u : 2014-06-12 RISE VICTORY LIMITED +时尚 + +// xn--b4w605ferd : 2014-08-07 Temasek Holdings (Private) Limited +淡马锡 + +// xn--c1avg : 2013-11-14 Public Interest Registry +орг + +// xn--c2br7g : 2015-01-15 VeriSign Sarl +नेट + +// xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD +삼성 + +// xn--czr694b : 2014-01-16 HU YI GLOBAL INFORMATION RESOURCES(HOLDING) COMPANY.HONGKONG LIMITED +商标 + +// xn--czrs0t : 2013-12-19 Wild Island, LLC +商店 + +// xn--czru2d : 2013-11-21 Zodiac Capricorn Limited +商城 + +// xn--d1acj3b : 2013-11-20 The Foundation for Network Initiatives “The Smart Internet” +дети + +// xn--eckvdtc9d : 2014-12-18 Amazon EU S.à r.l. +ポイント + +// xn--efvy88h : 2014-08-22 Xinhua News Agency Guangdong Branch 新华通讯社广东分社 +新闻 + +// xn--fhbei : 2015-01-15 VeriSign Sarl +كوم + +// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED +中文网 + +// xn--fiq64b : 2013-10-14 CITIC Group Corporation +中信 + +// xn--fjq720a : 2014-05-22 Will Bloom, LLC +娱乐 + +// xn--flw351e : 2014-07-31 Charleston Road Registry Inc. +谷歌 + +// xn--hxt814e : 2014-05-15 Zodiac Libra Limited +网店 + +// xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry +संगठन + +// xn--imr513n : 2014-12-11 HU YI GLOBAL INFORMATION RESOURCES (HOLDING) COMPANY. HONGKONG LIMITED +餐厅 + +// xn--io0a7i : 2013-11-14 Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center) +网络 + +// xn--j1aef : 2015-01-15 VeriSign Sarl +ком + +// xn--jlq61u9w7b : 2015-01-08 Nokia Corporation +诺基亚 + +// xn--kcrx77d1x4a : 2014-11-07 Koninklijke Philips N.V. +飞利浦 + +// xn--kpu716f : 2014-12-22 Richemont DNS Inc. +手表 + +// xn--kput3i : 2014-02-13 Beijing RITT-Net Technology Development Co., Ltd +手机 + +// xn--mgba3a3ejt : 2014-11-20 Aramco Services Company +ارامكو + +// xn--mgbab2bd : 2013-10-31 CORE Association +بازار + +// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L. +موبايلي + +// xn--mgbt3dhd : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti. +همراه + +// xn--mk1bu44c : 2015-01-15 VeriSign Sarl +닷컴 + +// xn--mxtq1m : 2014-03-06 Net-Chinese Co., Ltd. +政府 + +// xn--ngbc5azd : 2013-07-13 International Domain Registry Pty. Ltd. +شبكة + +// xn--ngbe9e0a : 2014-12-04 Kuwait Finance House +بيتك + +// xn--nqv7f : 2013-11-14 Public Interest Registry +机构 + +// xn--nqv7fs00ema : 2013-11-14 Public Interest Registry +组织机构 + +// xn--nyqy26a : 2014-11-07 Stable Tone Limited +健康 + +// xn--p1acf : 2013-12-12 Rusnames Limited +рус + +// xn--pbt977c : 2014-12-22 Richemont DNS Inc. +珠宝 + +// xn--pssy2u : 2015-01-15 VeriSign Sarl +大拿 + +// xn--q9jyb4c : 2013-09-17 Charleston Road Registry Inc. +みんな + +// xn--qcka1pmc : 2014-07-31 Charleston Road Registry Inc. +グーグル + +// xn--rhqv96g : 2013-09-11 Stable Tone Limited +世界 + +// xn--ses554g : 2014-01-16 +网址 + +// xn--t60b56a : 2015-01-15 VeriSign Sarl +닷넷 + +// xn--tckwe : 2015-01-15 VeriSign Sarl +コム + +// xn--unup4y : 2013-07-14 Spring Fields, LLC +游戏 + +// xn--vermgensberater-ctb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberater + +// xn--vermgensberatung-pwb : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG +vermögensberatung + +// xn--vhquv : 2013-08-27 Dash McCook, LLC +企业 + +// xn--vuq861b : 2014-10-16 Beijing Tele-info Network Technology Co., Ltd. +信息 + +// xn--xhq521b : 2013-11-14 Guangzhou YU Wei Information Technology Co., Ltd. +广东 + +// xn--zfr164b : 2013-11-08 China Organizational Name Administration Center +政务 + +// xyz : 2013-12-05 XYZ.COM LLC +xyz + +// yachts : 2014-01-09 DERYachts, LLC +yachts + +// yamaxun : 2014-12-18 Amazon EU S.à r.l. +yamaxun + +// yandex : 2014-04-10 YANDEX, LLC +yandex + +// yodobashi : 2014-11-20 YODOBASHI CAMERA CO.,LTD. +yodobashi + +// yoga : 2014-05-29 Top Level Domain Holdings Limited +yoga + +// yokohama : 2013-12-12 GMO Registry, Inc. +yokohama + +// youtube : 2014-05-01 Charleston Road Registry Inc. +youtube + +// yun : 2015-01-08 QIHOO 360 TECHNOLOGY CO. LTD. +yun + +// zara : 2014-11-07 Industria de Diseño Textil, S.A. (INDITEX, S.A.) +zara + +// zero : 2014-12-18 Amazon EU S.à r.l. +zero + +// zip : 2014-05-08 Charleston Road Registry Inc. +zip + +// zone : 2013-11-14 Outer Falls, LLC +zone + +// zuerich : 2014-11-07 Kanton Zürich (Canton of Zurich) +zuerich + + +// ===END ICANN DOMAINS=== +// ===BEGIN PRIVATE DOMAINS=== + +// Amazon CloudFront : https://aws.amazon.com/cloudfront/ +// Submitted by Donavan Miller 2013-03-22 +cloudfront.net + +// Amazon Elastic Compute Cloud: https://aws.amazon.com/ec2/ +// Submitted by Osman Surkatty 2014-12-16 +ap-northeast-1.compute.amazonaws.com +ap-southeast-1.compute.amazonaws.com +ap-southeast-2.compute.amazonaws.com +cn-north-1.compute.amazonaws.cn +compute.amazonaws.cn +compute.amazonaws.com +compute-1.amazonaws.com +eu-west-1.compute.amazonaws.com +eu-central-1.compute.amazonaws.com +sa-east-1.compute.amazonaws.com +us-east-1.amazonaws.com +us-gov-west-1.compute.amazonaws.com +us-west-1.compute.amazonaws.com +us-west-2.compute.amazonaws.com +z-1.compute-1.amazonaws.com +z-2.compute-1.amazonaws.com + +// Amazon Elastic Beanstalk : https://aws.amazon.com/elasticbeanstalk/ +// Submitted by Adam Stein 2013-04-02 +elasticbeanstalk.com + +// Amazon Elastic Load Balancing : https://aws.amazon.com/elasticloadbalancing/ +// Submitted by Scott Vidmar 2013-03-27 +elb.amazonaws.com + +// Amazon S3 : https://aws.amazon.com/s3/ +// Submitted by Courtney Eckhardt 2013-03-22 +s3.amazonaws.com +s3-us-west-2.amazonaws.com +s3-us-west-1.amazonaws.com +s3-eu-west-1.amazonaws.com +s3-ap-southeast-1.amazonaws.com +s3-ap-southeast-2.amazonaws.com +s3-ap-northeast-1.amazonaws.com +s3-sa-east-1.amazonaws.com +s3-us-gov-west-1.amazonaws.com +s3-fips-us-gov-west-1.amazonaws.com +s3-website-us-east-1.amazonaws.com +s3-website-us-west-2.amazonaws.com +s3-website-us-west-1.amazonaws.com +s3-website-eu-west-1.amazonaws.com +s3-website-ap-southeast-1.amazonaws.com +s3-website-ap-southeast-2.amazonaws.com +s3-website-ap-northeast-1.amazonaws.com +s3-website-sa-east-1.amazonaws.com +s3-website-us-gov-west-1.amazonaws.com + +// BetaInABox +// Submitted by adrian@betainabox.com 2012-09-13 +betainabox.com + +// CentralNic : http://www.centralnic.com/names/domains +// Submitted by registry 2012-09-27 +ae.org +ar.com +br.com +cn.com +com.de +com.se +de.com +eu.com +gb.com +gb.net +hu.com +hu.net +jp.net +jpn.com +kr.com +mex.com +no.com +qc.com +ru.com +sa.com +se.com +se.net +uk.com +uk.net +us.com +uy.com +za.bz +za.com + +// Africa.com Web Solutions Ltd : https://registry.africa.com +// Submitted by Gavin Brown 2014-02-04 +africa.com + +// iDOT Services Limited : http://www.domain.gr.com +// Submitted by Gavin Brown 2014-02-04 +gr.com + +// Radix FZC : http://domains.in.net +// Submitted by Gavin Brown 2014-02-04 +in.net + +// US REGISTRY LLC : http://us.org +// Submitted by Gavin Brown 2014-02-04 +us.org + +// co.com Registry, LLC : https://registry.co.com +// Submitted by Gavin Brown 2014-02-04 +co.com + +// c.la : http://www.c.la/ +c.la + +// cloudControl : https://www.cloudcontrol.com/ +// Submitted by Tobias Wilken 2013-07-23 +cloudcontrolled.com +cloudcontrolapp.com + +// co.ca : http://registry.co.ca/ +co.ca + +// CoDNS B.V. +co.nl +co.no + +// Commerce Guys, SAS +// Submitted by Damien Tournoud 2015-01-22 +*.platform.sh + +// Cupcake : https://cupcake.io/ +// Submitted by Jonathan Rudenberg 2013-10-08 +cupcake.is + +// DreamHost : http://www.dreamhost.com/ +// Submitted by Andrew Farmer 2012-10-02 +dreamhosters.com + +// DynDNS.com : http://www.dyndns.com/services/dns/dyndns/ +dyndns-at-home.com +dyndns-at-work.com +dyndns-blog.com +dyndns-free.com +dyndns-home.com +dyndns-ip.com +dyndns-mail.com +dyndns-office.com +dyndns-pics.com +dyndns-remote.com +dyndns-server.com +dyndns-web.com +dyndns-wiki.com +dyndns-work.com +dyndns.biz +dyndns.info +dyndns.org +dyndns.tv +at-band-camp.net +ath.cx +barrel-of-knowledge.info +barrell-of-knowledge.info +better-than.tv +blogdns.com +blogdns.net +blogdns.org +blogsite.org +boldlygoingnowhere.org +broke-it.net +buyshouses.net +cechire.com +dnsalias.com +dnsalias.net +dnsalias.org +dnsdojo.com +dnsdojo.net +dnsdojo.org +does-it.net +doesntexist.com +doesntexist.org +dontexist.com +dontexist.net +dontexist.org +doomdns.com +doomdns.org +dvrdns.org +dyn-o-saur.com +dynalias.com +dynalias.net +dynalias.org +dynathome.net +dyndns.ws +endofinternet.net +endofinternet.org +endoftheinternet.org +est-a-la-maison.com +est-a-la-masion.com +est-le-patron.com +est-mon-blogueur.com +for-better.biz +for-more.biz +for-our.info +for-some.biz +for-the.biz +forgot.her.name +forgot.his.name +from-ak.com +from-al.com +from-ar.com +from-az.net +from-ca.com +from-co.net +from-ct.com +from-dc.com +from-de.com +from-fl.com +from-ga.com +from-hi.com +from-ia.com +from-id.com +from-il.com +from-in.com +from-ks.com +from-ky.com +from-la.net +from-ma.com +from-md.com +from-me.org +from-mi.com +from-mn.com +from-mo.com +from-ms.com +from-mt.com +from-nc.com +from-nd.com +from-ne.com +from-nh.com +from-nj.com +from-nm.com +from-nv.com +from-ny.net +from-oh.com +from-ok.com +from-or.com +from-pa.com +from-pr.com +from-ri.com +from-sc.com +from-sd.com +from-tn.com +from-tx.com +from-ut.com +from-va.com +from-vt.com +from-wa.com +from-wi.com +from-wv.com +from-wy.com +ftpaccess.cc +fuettertdasnetz.de +game-host.org +game-server.cc +getmyip.com +gets-it.net +go.dyndns.org +gotdns.com +gotdns.org +groks-the.info +groks-this.info +ham-radio-op.net +here-for-more.info +hobby-site.com +hobby-site.org +home.dyndns.org +homedns.org +homeftp.net +homeftp.org +homeip.net +homelinux.com +homelinux.net +homelinux.org +homeunix.com +homeunix.net +homeunix.org +iamallama.com +in-the-band.net +is-a-anarchist.com +is-a-blogger.com +is-a-bookkeeper.com +is-a-bruinsfan.org +is-a-bulls-fan.com +is-a-candidate.org +is-a-caterer.com +is-a-celticsfan.org +is-a-chef.com +is-a-chef.net +is-a-chef.org +is-a-conservative.com +is-a-cpa.com +is-a-cubicle-slave.com +is-a-democrat.com +is-a-designer.com +is-a-doctor.com +is-a-financialadvisor.com +is-a-geek.com +is-a-geek.net +is-a-geek.org +is-a-green.com +is-a-guru.com +is-a-hard-worker.com +is-a-hunter.com +is-a-knight.org +is-a-landscaper.com +is-a-lawyer.com +is-a-liberal.com +is-a-libertarian.com +is-a-linux-user.org +is-a-llama.com +is-a-musician.com +is-a-nascarfan.com +is-a-nurse.com +is-a-painter.com +is-a-patsfan.org +is-a-personaltrainer.com +is-a-photographer.com +is-a-player.com +is-a-republican.com +is-a-rockstar.com +is-a-socialist.com +is-a-soxfan.org +is-a-student.com +is-a-teacher.com +is-a-techie.com +is-a-therapist.com +is-an-accountant.com +is-an-actor.com +is-an-actress.com +is-an-anarchist.com +is-an-artist.com +is-an-engineer.com +is-an-entertainer.com +is-by.us +is-certified.com +is-found.org +is-gone.com +is-into-anime.com +is-into-cars.com +is-into-cartoons.com +is-into-games.com +is-leet.com +is-lost.org +is-not-certified.com +is-saved.org +is-slick.com +is-uberleet.com +is-very-bad.org +is-very-evil.org +is-very-good.org +is-very-nice.org +is-very-sweet.org +is-with-theband.com +isa-geek.com +isa-geek.net +isa-geek.org +isa-hockeynut.com +issmarterthanyou.com +isteingeek.de +istmein.de +kicks-ass.net +kicks-ass.org +knowsitall.info +land-4-sale.us +lebtimnetz.de +leitungsen.de +likes-pie.com +likescandy.com +merseine.nu +mine.nu +misconfused.org +mypets.ws +myphotos.cc +neat-url.com +office-on-the.net +on-the-web.tv +podzone.net +podzone.org +readmyblog.org +saves-the-whales.com +scrapper-site.net +scrapping.cc +selfip.biz +selfip.com +selfip.info +selfip.net +selfip.org +sells-for-less.com +sells-for-u.com +sells-it.net +sellsyourhome.org +servebbs.com +servebbs.net +servebbs.org +serveftp.net +serveftp.org +servegame.org +shacknet.nu +simple-url.com +space-to-rent.com +stuff-4-sale.org +stuff-4-sale.us +teaches-yoga.com +thruhere.net +traeumtgerade.de +webhop.biz +webhop.info +webhop.net +webhop.org +worse-than.tv +writesthisblog.com + +// Fastly Inc. http://www.fastly.com/ +// Submitted by Vladimir Vuksan 2013-05-31 +a.ssl.fastly.net +b.ssl.fastly.net +global.ssl.fastly.net +a.prod.fastly.net +global.prod.fastly.net + +// Firebase, Inc. +// Submitted by Chris Raynor 2014-01-21 +firebaseapp.com + +// Flynn : https://flynn.io +// Submitted by Jonathan Rudenberg 2014-07-12 +flynnhub.com + +// GitHub, Inc. +// Submitted by Ben Toews 2014-02-06 +github.io +githubusercontent.com + +// GlobeHosting, Inc. +// Submitted by Zoltan Egresi 2013-07-12 +ro.com + +// Google, Inc. +// Submitted by Eduardo Vela 2014-12-19 +appspot.com +blogspot.ae +blogspot.be +blogspot.bj +blogspot.ca +blogspot.cf +blogspot.ch +blogspot.co.at +blogspot.co.il +blogspot.co.nz +blogspot.co.uk +blogspot.com +blogspot.com.ar +blogspot.com.au +blogspot.com.br +blogspot.com.es +blogspot.com.tr +blogspot.cv +blogspot.cz +blogspot.de +blogspot.dk +blogspot.fi +blogspot.fr +blogspot.gr +blogspot.hk +blogspot.hu +blogspot.ie +blogspot.in +blogspot.it +blogspot.jp +blogspot.kr +blogspot.mr +blogspot.mx +blogspot.nl +blogspot.no +blogspot.pt +blogspot.re +blogspot.ro +blogspot.ru +blogspot.se +blogspot.sg +blogspot.sk +blogspot.td +blogspot.tw +codespot.com +googleapis.com +googlecode.com +pagespeedmobilizer.com +withgoogle.com + +// Heroku : https://www.heroku.com/ +// Submitted by Tom Maher 2013-05-02 +herokuapp.com +herokussl.com + +// iki.fi +// Submitted by Hannu Aronsson 2009-11-05 +iki.fi + +// info.at : http://www.info.at/ +biz.at +info.at + +// Michau Enterprises Limited : http://www.co.pl/ +co.pl + +// Microsoft : http://microsoft.com +// Submitted by Barry Dorrans 2014-01-24 +azurewebsites.net +azure-mobile.net +cloudapp.net + +// NFSN, Inc. : https://www.NearlyFreeSpeech.NET/ +// Submitted by Jeff Wheelhouse 2014-02-02 +nfshost.com + +// NYC.mn : http://www.information.nyc.mn +// Submitted by Matthew Brown 2013-03-11 +nyc.mn + +// One Fold Media : http://www.onefoldmedia.com/ +// Submitted by Eddie Jones 2014-06-10 +nid.io + +// Opera Software, A.S.A. +// Submitted by Yngve Pettersen 2009-11-26 +operaunite.com + +// OutSystems +// Submitted by Duarte Santos 2014-03-11 +outsystemscloud.com + +// .pl domains (grandfathered) +art.pl +gliwice.pl +krakow.pl +poznan.pl +wroc.pl +zakopane.pl + +// Red Hat, Inc. OpenShift : https://openshift.redhat.com/ +// Submitted by Tim Kramer 2012-10-24 +rhcloud.com + +// GDS : https://www.gov.uk/service-manual/operations/operating-servicegovuk-subdomains +// Submitted by David Illsley 2014-08-28 +service.gov.uk + +// priv.at : http://www.nic.priv.at/ +// Submitted by registry 2008-06-09 +priv.at + +// TASK geographical domains (www.task.gda.pl/uslugi/dns) +gda.pl +gdansk.pl +gdynia.pl +med.pl +sopot.pl + +// UDR Limited : http://www.udr.hk.com +// Submitted by registry 2014-11-07 +hk.com +hk.org +ltd.hk +inc.hk + +// Yola : https://www.yola.com/ +// Submitted by Stefano Rivera 2014-07-09 +yolasite.com + +// ZaNiC : http://www.za.net/ +// Submitted by registry 2009-10-03 +za.net +za.org + +// ===END PRIVATE DOMAINS=== \ No newline at end of file diff --git a/opensoc-streaming/OpenSOC-Topologies/src/main/resources/hbase-site.xml b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/hbase-site.xml new file mode 100644 index 0000000000..8d812a9358 --- /dev/null +++ b/opensoc-streaming/OpenSOC-Topologies/src/main/resources/hbase-site.xml @@ -0,0 +1,131 @@ + + + + hbase.tmp.dir + /disk/h/hbase + + + hbase.hregion.memstore.chunkpool.maxsize + 0.5 + + + hbase.regionserver.codecs + lzo,gz,snappy + + + hbase.hstore.flush.retries.number + 120 + + + hbase.client.keyvalue.maxsize + 10485760 + + + hbase.rootdir + hdfs://nn1:8020/apps/hbase/data + + + hbase.defaults.for.version.skip + true + + + hbase.client.scanner.caching + 100 + + + hbase.superuser + hbase + + + hfile.block.cache.size + 0.40 + + + hbase.regionserver.checksum.verify + true + + + hbase.hregion.memstore.mslab.enabled + true + + + hbase.hregion.max.filesize + 107374182400 + + + hbase.cluster.distributed + true + + + zookeeper.session.timeout + 30000 + + + zookeeper.znode.parent + /hbase-unsecure + + + hbase.regionserver.global.memstore.lowerLimit + 0.38 + + + hbase.regionserver.handler.count + 240 + + + hbase.hregion.memstore.mslab.chunksize + 8388608 + + + hbase.zookeeper.quorum + zkpr1,zkpr2,zkpr3 + + + hbase.zookeeper.useMulti + true + + + hbase.hregion.majorcompaction + 86400000 + + + hbase.hstore.blockingStoreFiles + 200 + + + hbase.zookeeper.property.clientPort + 2181 + + + hbase.hregion.memstore.flush.size + 134217728 + + + hbase.security.authorization + false + + + hbase.regionserver.global.memstore.upperLimit + 0.4 + + + hbase.hstore.compactionThreshold + 4 + + + hbase.hregion.memstore.block.multiplier + 8 + + + hbase.security.authentication + simple + + + dfs.client.read.shortcircuit + true + + + dfs.domain.socket.path + /var/run/hdfs/dn_socket + + \ No newline at end of file diff --git a/opensoc-streaming/pom.xml b/opensoc-streaming/pom.xml index 8f48583a0a..bbd4e2e6ec 100644 --- a/opensoc-streaming/pom.xml +++ b/opensoc-streaming/pom.xml @@ -14,7 +14,7 @@ 4.0.0 com.opensoc OpenSOC-Streaming - 0.3BETA-SNAPSHOT + 0.6BETA pom OpenSOC-Streaming Stream analytics for OpenSOC @@ -30,6 +30,7 @@ 4.4 18.0 2.2.5 + 1.7.7 @@ -49,7 +50,7 @@ - + OpenSOC-Common @@ -59,6 +60,7 @@ OpenSOC-Alerts OpenSOC-DataLoads OpenSOC-Topologies + OpenSOC-Pcap_Service @@ -75,6 +77,7 @@ org.apache.maven.plugins maven-surefire-plugin + 2.18 @@ -98,6 +101,7 @@ org.apache.maven.plugins maven-pmd-plugin + 3.3 1.7 @@ -110,4 +114,11 @@ + + + + clojars.org + http://clojars.org/repo + + diff --git a/opensoc-streaming/readme.md b/opensoc-streaming/readme.md index d70667f876..c912153804 100644 --- a/opensoc-streaming/readme.md +++ b/opensoc-streaming/readme.md @@ -1,137 +1,13 @@ #Current Build -The latest build of OpenSOC-Streaming is 0.3BETA. We are still in the process of merging/porting additional -features from our production code base into this open source release. This release will be followed by -a number of additional beta releases until the port is complete. We will also work on getting additional -documentation and user/developer guides to the community as soon as we can. At this time we offer no support -for the beta software, but will try to respond to requests as promptly as we can. +The latest build of OpenSOC-Streaming is 0.6BETA. -# OpenSOC-Streaming - -Extensible set of Storm topologies and topology attributes for streaming, enriching, indexing, and storing telemetry in Hadoop. General information on OpenSOC is available at www.getopensoc.com - -For OpenSOC FAQ please read the following wiki entry: https://github.com/OpenSOC/opensoc-streaming/wiki/OpenSOC-FAQ - - -# Usage Instructions - -## Message Parser Bolt - -Bolt for parsing telemetry messages into a JSON format - -``` -TelemetryParserBolt parser_bolt = new TelemetryParserBolt() - .withMessageParser(new BasicSourcefireParser()) - .withOutputFieldName(topology_name); -``` - -###Parameters: - -MesageParser: parsers a raw message to JSON. Parsers listed below are available -- BasicSourcefireParser: will parse a Sourcefire message to JSON -- BasicBroParser: will parse a Bro message to JSON - -OutputFieldName: name of the output field emitted by the bolt - -## Telemetry Indexing Bolt - -Bolt for indexing JSON telemetry messages in ElasticSearch or Solr - -``` -TelemetryIndexingBolt indexing_bolt = new TelemetryIndexingBolt() - .withIndexIP(ElasticSearchIP).withIndexPort(elasticSearchPort) - .withClusterName(ElasticSearchClusterName) - .withIndexName(ElasticSearchIndexName) - .withDocumentName(ElasticSearchDocumentName).withBulk(bulk) - .withOutputFieldName(topology_name) - .withIndexAdapter(new ESBaseBulkAdapter()); -``` - -###Parameters: - -IndexAdapter: adapter and strategy for indexing. Adapters listed below are available -- ESBaseBulkAdapter: adapter for bulk loading telemetry into a single index in ElasticSearch -- ESBulkRotatingAdapter: adapter for bulk loading telemetry into Elastic search, rotating once per hour, and applying a single alias to all rotated indexes -- SolrAdapter (stubbed out, on roadmap) - -OutputFieldName: name of the output field emitted by the bolt - -IndexIP: IP of ElasticSearch/Solr - -IndexPort: Port of ElasticSearch/Solr - -ClusterName: ClusterName of ElasticSearch/Solr - -IndexName: IndexName of ElasticSearch/Solr - -DocumentName: DocumentName of ElasticSearch/Solr - -Bulk: number of documents to bulk load into ElasticSearch/Solr. If no value is passed, default is 10 +We are still in the process of merging/porting additional features from our production code base into this open source release. This release will be followed by a number of additional beta releases until the port is complete. We will also work on getting additional documentation and user/developer guides to the community as soon as we can. At this time we offer no support for the beta software, but will try to respond to requests as promptly as we can. -## Enrichment Bolt - -This bolt is for enriching telemetry messages with additional metadata from external data sources. At the time of the release the data sources supported are GeoIP (MaxMind GeoLite), WhoisDomain, Collective Intelligence Framework (CIF), and Lancope. In order to use the bolt the data sources have to be setup and data has to be bulk-loaded into them. The information on bulk-loading data sources and making them interoperable with the enrichment bolt is provided in the following wiki entries: - -- GeoIP: https://github.com/OpenSOC/opensoc-streaming/wiki/Setting-up-GeoLite-Data -- WhoisDomain: https://github.com/OpenSOC/opensoc-streaming/wiki/Setting-up-Whois-Data -- CIF Feeds: https://github.com/OpenSOC/opensoc-streaming/wiki/Setting-up-CIF-Data -- Lancope Metadata: https://github.com/OpenSOC/opensoc-streaming/wiki/Setting-up-Lancope-data - -``` -Map patterns = new HashMap(); - patterns.put("originator_ip_regex", Pattern.compile("ip_src_addr\":\"(.*?)\"")); - patterns.put("responder_ip_regex", Pattern.compile("ip_dst_addr\":\"(.*?)\"")); - -GeoMysqlAdapter geo_adapter = new GeoMysqlAdapter("IP", 0, "test", "test"); - -GenericEnrichmentBolt geo_enrichment = new GenericEnrichmentBolt() - .withEnrichmentTag(geo_enrichment_tag) - .withOutputFieldName(topology_name).withAdapter(geo_adapter) - .withMaxTimeRetain(MAX_TIME_RETAIN) - .withMaxCacheSize(MAX_CACHE_SIZE).withPatterns(patterns); -``` - -###Parameters: - -GeoAdapter: adapter for the MaxMind GeoLite dataset. Adapters listed below are available -- GeoMysqlAdapter: pulls geoIP data from MqSQL database -- GeoPosgreSQLAdapter: pulls geoIP data from Posgress database (on road map, not yet available) - -WhoisAdapter: adapter for whois database. Adapters listed below are available -- WhoisHBaseAdapter: adapter for HBase - -CIFAdapter: Hortonworks to document - -LancopeAdapter: Hortonworks to document - -originator_ip_regex: regex to extract the source ip form message - -responder_ip_regex: regex to extract dest ip from message -The single bolt is currently undergoing testing and will be uploaded shortly - -geo_enrichment_tag: JSON field indicating how to tag the original message with the enrichment... {original_message:some_message, {geo_enrichment_tag:{from:xxx},{to:xxx}}} - -MAX_TIME_RETAIN: this bolt utilizes in-memory cache. this variable (in minutes) indicates now long to retain each entry in the cache - -MAX_CACHE_SIZE: this value defines the maximum size of the cache after which entries are evicted from cache - -OutputFieldName: name of the output field emitted by the bolt - - -## Internal Test Spout - -We provide a capability to test a topology with messages stored in a file and packaged in a jar that is sent to storm. This functionality is exposed through a special spout that is able to replay test messages into a topology. - -``` -GenericInternalTestSpout test_spout = new GenericInternalTestSpout() - .withFilename("sourcefire_enriched").withRepeating(false) - .withMilisecondDelay(100); -``` - -###Parameters +# OpenSOC-Streaming -Filename: name of a file in a jar you want to replay +Extensible set of Storm topologies and topology attributes for streaming, enriching, indexing, and storing telemetry in Hadoop. General information on OpenSOC is available at http://opensoc.github.io -Repeating: do you want to repeatedly play messages or stop after all the messages in the file have been read +# Documentation -WithMilisecondDelay: the amount of the delay (sleep) between replayed messages +Please see documentation within each individual module for description and usage instructions. Sample topologies are provided under OpenSOC_Topologies to get you started with the framework. We pre-assume knowledge of Hadoop, Storm, Kafka, and HBase.