FlexConnector: Barracuda Web Application Firewall (WAF)

1 Likes

Hi,

We get the WAF logs (Access, Firewall, Audit) via syslog, so I wrote this connector.

Latest Update: 2012/09/11

#Barracuda Web Application Firewall
#Syslog-Format: Default
do.unparsed.events=true
regex=\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}.\\d{3} \\ \\d{4}  \\S (\\w ) (.*)
token.count=2
token[0].name=SubmessageIdToken
token[0].type=String
token[1].name=SubmessageToken
token[1].type=String

event.deviceReceiptTime=_SYSLOG_TIMESTAMP
event.deviceHostName=_SYSLOG_SENDER
event.deviceVendor=__stringConstant("Barracuda")
event.deviceProduct=__stringConstant("Web Application Firewall")
event.deviceEventCategory=SubmessageIdToken

#severity.map.veryhigh.if.deviceSeverity=
severity.map.high.if.deviceSeverity=ALER
severity.map.medium.if.deviceSeverity=WARN
severity.map.low.if.deviceSeverity=INFO
severity.map.unknown.if.deviceSeverity=*

submessage.messageid.token=SubmessageIdToken
submessage.token=SubmessageToken

submessage.count=4

submessage[0].messageid=TR
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\S \\S (\\w ) (\\w ) (\\S ) \\S (\\d ) \\d \\d \\d \\d (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\d \\S \\w \\w \\w (\\w ) (\\S ) \\S \\S .*
submessage[0].pattern[0].fields=event.targetAddress,event.targetPort,event.attackerAddress,event.attackerPort,event.requestMethod,event.applicationProtocol,event.targetHostName,event.deviceCustomNumber1,event.destinationAddress,event.destinationPort,event.deviceCustomString3,event.deviceCustomString5
submessage[0].pattern[0].types=IPAddress,Integer,IPAddress,Integer,String,String,String,Integer,IPAddress,Integer,String,String
submessage[0].pattern[0].extramappings=event.name\=__concatenate($5," ",$6," ",$7)|event.deviceCustomString4\=$7


submessage[1].messageid=WF
#Severity Level|Attack Description|Client IP|Client Port|Application IP|Application Port|Rule ID|Rule Type|Action Taken|Follow-up Action|Attack Details|Method|URL|Protocol|Session ID|User Agent|Proxy IP|Authenticated User|Referrer|Attack ID|Attack Group
submessage[1].pattern.count=9
submessage[1].pattern[0].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[0].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[0].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[1].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[1].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[1].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[2].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S
submessage[1].pattern[2].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[2].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[3].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[3].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[3].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[4].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[4].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[4].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[5].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S \\S
submessage[1].pattern[5].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[5].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[6].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ?)(\\?\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[6].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[6].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[7].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ?/)(\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[7].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[7].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[8].regex=(\\w ) (\\w ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S ) (\\w ) (\\w ) (\\w ) \\[(.*)\\] (\\w ) (\\S ) (\\w ) \\S "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S ) \\S (\\S ) (\\S )
submessage[1].pattern[8].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[8].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,Integer,String


submessage[2].messageid=AUDIT
#Admin Name|Client Type|Login IP|Login Port|Transaction Type|Transaction ID|Command Name|Change Type|Object Type|Object Name|Variable|Old Value|New Value|Additional Data
submessage[2].pattern.count=2
submessage[2].pattern[0].regex=(\\S ) (\\S ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S ) \\d \\s (\\w ) (\\S ) (\\S ) \\S \\S \\S \\[.*?\\]
submessage[2].pattern[0].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message,event.deviceCustomString2,event.deviceCustomString3
submessage[2].pattern[0].types=String,String,IPAddress,String,String,String,String
submessage[2].pattern[1].regex=(\\S ) (\\S ) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S ) \\d \\s \\w \\S \\S \\S \\S \\[(.*)\\]
submessage[2].pattern[1].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message
submessage[2].pattern[1].types=String,String,IPAddress,String,String


submessage[3].pattern.count=1
submessage[3].pattern[0].regex=(.*)
submessage[3].pattern[0].fields=event.message
submessage[3].pattern[0].extramappings=event.name\=__stringConstant("Unparsed Event from Barracuda Web Application Firewall")

[pdf-att]/home/lithium/migration/hp_protect724/mnt/jive_persist/binstore/scan_jivesbs/a7453.bin[/pdf-att]
Comment List
Anonymous
Parents Comment Children
No Data
Related Discussions
Recommended