FlexConnector: Barracuda Web Application Firewall (WAF)

1 Likes
over 8 years ago

Hi,

We get the WAF logs (Access, Firewall, Audit) via syslog, so I wrote this connector.

Latest Update: 2012/09/11

#Barracuda Web Application Firewall
#Syslog-Format: Default
do.unparsed.events=true
regex=\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}.\\d{3} \\ \\d{4}  \\S (\\w ) (.*)
token.count=2
token[0].name=SubmessageIdToken
token[0].type=String
token[1].name=SubmessageToken
token[1].type=String

event.deviceReceiptTime=_SYSLOG_TIMESTAMP
event.deviceHostName=_SYSLOG_SENDER
event.deviceVendor=__stringConstant("Barracuda")
event.deviceProduct=__stringConstant("Web Application Firewall")
event.deviceEventCategory=SubmessageIdToken

#severity.map.veryhigh.if.deviceSeverity=
severity.map.high.if.deviceSeverity=ALER
severity.map.medium.if.deviceSeverity=WARN
severity.map.low.if.deviceSeverity=INFO
severity.map.unknown.if.deviceSeverity=*

submessage.messageid.token=SubmessageIdToken
submessage.token=SubmessageToken

submessage.count=4

submessage[0].messageid=TR
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\S \\S (\\w ) (\\w ) (\\S ) \\S (\\d ) \\d \\d \\d \\d (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\d \\S \\w \\w \\w (\\w ) (\\S ) \\S \\S .*
submessage[0].pattern[0].fields=event.targetAddress,event.targetPort,event.attackerAddress,event.attackerPort,event.requestMethod,event.applicationProtocol,event.targetHostName,event.deviceCustomNumber1,event.destinationAddress,event.destinationPort,event.deviceCustomString3,event.deviceCustomString5
submessage[0].pattern[0].types=IPAddress,Integer,IPAddress,Integer,String,String,String,Integer,IPAddress,Integer,String,String
submessage[0].pattern[0].extramappings=event.name\=__concatenate($5," ",$6," ",$7)|event.deviceCustomString4\=$7


submessage[1].messageid=WF
#Severity Level|Attack Description|Client IP|Client Port|Application IP|Application Port|Rule ID|Rule Type|Action Taken|Follow-up Action|Attack Details|Method|URL|Protocol|Session ID|User Agent|Proxy IP|Authenticated User|Referrer|Attack ID|Attack Group
submessage[1].pattern.count=9
submessage[1].pattern[0].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[0].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[0].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[1].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[1].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[1].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[2].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[2].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[2].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[3].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[3].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[3].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[4].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[4].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[4].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[5].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[5].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[5].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[6].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[6].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[6].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[7].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[7].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[7].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[8].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[8].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[8].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,Integer,String


submessage[2].messageid=AUDIT
#Admin Name|Client Type|Login IP|Login Port|Transaction Type|Transaction ID|Command Name|Change Type|Object Type|Object Name|Variable|Old Value|New Value|Additional Data
submessage[2].pattern.count=2
submessage[2].pattern[0].regex=(\\S ) (\\S ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S ) \\d \\s (\\w ) (\\S ) (\\S ) \\S \\S \\S \\[.*?\\]
submessage[2].pattern[0].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message,event.deviceCustomString2,event.deviceCustomString3
submessage[2].pattern[0].types=String,String,IPAddress,String,String,String,String
submessage[2].pattern[1].regex=(\\S ) (\\S ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S ) \\d \\s \\w \\S \\S \\S \\S \\[(.*)\\]
submessage[2].pattern[1].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message
submessage[2].pattern[1].types=String,String,IPAddress,String,String


submessage[3].pattern.count=1
submessage[3].pattern[0].regex=(.*)
submessage[3].pattern[0].fields=event.message
submessage[3].pattern[0].extramappings=event.name\=__stringConstant("Unparsed Event from Barracuda Web Application Firewall")

[pdf-att]/home/lithium/migration/hp_protect724/mnt/jive_persist/binstore/scan_jivesbs/a7453.bin[/pdf-att]
Comment List
Anonymous
  • Hi Tejesh,

    ​we are facing similar problem as you mentioned above .

    User agent field is not parsing properly in WAF, Can you share me the regex file for the same.

    ​Log format is like :user Agent:  Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36"

    Regards,

    Tejaswi M

  • Hi ,

    Thanks lot....

    Your  latest connector file is working fine and it is parsing all the fields....

    Regards,

    Tejesh

  • Hi ,

    Thanks lot for quick response...

    Please find the below log file..

    2014-04-02 10:36:10.002 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/js/pages.validation.js HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.002 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/js/pages.validation.js HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan


    2014-04-02 10:36:10.009 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 125.22.43.14 49809 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/header-icons-mob.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36" 125.22.43.14 49809 "-" http://www.abcdefg.com/customer-service

    2014-04-02 10:36:10.009 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50747 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/left-nav-bg.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50747 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.009 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50747 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/left-nav-bg.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50747 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.021 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 7000 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/savings/abc-defg-Super-Savings-Plan.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 7000 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.021 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 7000 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/savings/abc-defg-Super-Savings-Plan.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 7000 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.045 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/shadow-small.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.045 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/shadow-small.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    Wed Apr 02 11:16:53 2014: <134>Apr  2 10:36:10 barracuda

    2014-04-02 10:36:10.049 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50747 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/frame-small-hover.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50747 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.049 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50747 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/frame-small-hover.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50747 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.079 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 115.242.55.120 51635 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/tools/info.png HTTP "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDSJS)" 115.242.55.120 51635 "-" http://www.abcdefg.com/financial-tools-calculators/retirement-planning-calculator

    Wed Apr 02 11:16:53 2014: <134>Apr  2 10:36:10 barracuda

    2014-04-02 10:36:10.089 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50742 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/inner-left-shadow.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50742 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.089 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50742 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/inner-left-shadow.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50742 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:10.091 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/star-on.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:11.058 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 125.22.43.14 49809 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/customerservice/policy-servicing-thumb.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36" 125.22.43.14 49809 "-" http://www.abcdefg.com/customer-service

    2014-04-02 10:36:11.080 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/tab-head-left.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:11.092 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 2001 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/icon-footer.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 2001 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.092 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 2001 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ls_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/icon-footer.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 2001 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.100 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 125.22.43.14 49814 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/customerservice/Customer-Information-Centre_thumb.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36" 125.22.43.14 49814 "-" http://www.abcdefg.com/customer-service

    2014-04-02 10:36:11.100 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 125.22.43.14 49814 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/customerservice/Customer-Information-Centre_thumb.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36" 125.22.43.14 49814 "-" http://www.abcdefg.com/customer-service

    2014-04-02 10:36:11.125 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50739 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/pdf-icon.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50739 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:11.126 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 200.177.148.81 50742 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/gray-arrow.png HTTP "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36" 200.177.148.81 50742 "-" http://www.abcdefg.com/savings-investment-plans/super-savings-plan

    2014-04-02 10:36:11.252 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1994 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/footer2.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1994 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.252 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1994 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ls_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/footer2.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1994 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.401 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1992 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/share-bg.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1992 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.401 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1992 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ls_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/share-bg.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1992 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.427 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 175.100.160.57 42684 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/js/foundation/effects.js HTTP "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 175.100.160.57 42684 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.612 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 175.100.160.57 42697 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/css/bootstro.css HTTP "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 175.100.160.57 42697 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.720 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 175.100.160.57 42684 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/css/global.css HTTP "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" 175.100.160.57 42684 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.892 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 2001 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/buy-online.gif HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 2001 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.892 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 2001 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/buy-online.gif HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 2001 "-" http://www.abcdefg.com/

    2014-04-02 10:36:11.905 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 122.177.97.227 50071 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_lsf_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/frame-extra-large-hover.png HTTP "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" 122.177.97.227 50071 "-" http://www.abcdefg.com/

    2014-04-02 10:36:12.032 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1993 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/caption-bg.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1993 "-" http://www.abcdefg.com/

    2014-04-02 10:36:12.032 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1993 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ls_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/caption-bg.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1993 "-" http://www.abcdefg.com/

    2014-04-02 10:36:12.032 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 222.102.102.254 1993 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="_we_wk_ss_" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/index/caption-bg.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)" 222.102.102.254 1993 "-" http://www.abcdefg.com/


    2014-04-02 10:36:12.092 +0530  barracuda WF WARN UNRECOGNIZED_COOKIE 115.113.224.162 13995 10.10.3.191 80 global GLOBAL LOG NONE [Cookie="isVisited" Service-created="138 days back" Reason="No valid encrypted pair"] GET www.abcdefg.com/iwov-resources/image/termplans/click2protect_new.png HTTP "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" 115.113.224.162 13995 "-" http://www.abcdefg.com/term-insurance-plans/click-2-protect

    Regards,

    Tejesh

  • Maybe you can upload the whole log entry, so that I can try to find out why it's not parsing

  • Hi,

    I've uploaded my latest connector file, feel free to try this

  • Hi All,

    Thanks for sharing the subagent file connector...

    I have tried with this file, but only 3 fields are not parsing.. 

    user Agent:  Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36"

    Referer : http://www.xxxxxxx.com/customer-service

    Please can any one help me by providing updated regex file...

    Thanks in advance....

    Regards,

    Tejesh

  • Can you share what settings you used on the Barracuda WAF?  Under Advanced > Export Logs > Logs Format ... Did you specify the CEF format for your output or did you leave the Barracuda "default" format  ? 

    Thanks!

Related Discussions
Recommended