FlexConnector: McAfee WebWasher

0 Likes
over 9 years ago

Hi,

Our webwashers send the events, where the Web Reputation blocks or logs something or the AV scan detects a virus, via syslog. So, I wrote this connector for us. Maybe it's okay for you, otherwise feel free to modify this for you.

do.unparsed.events=true

regex=mwg: (\\S ) (.*)

#regex=\\w \\d \\d :\\d :\\d \\S mwg: (\\S ) (.*)

#Jun 18 12:56:27 webwasher mwg:

token.count=2

token[0].name=SubmessageIdToken

token[0].type=String

token[1].name=SubmessageToken

token[1].type=String

event.deviceReceiptTime=_SYSLOG_TIMESTAMP

event.deviceHostName=_SYSLOG_SENDER

event.deviceVendor=__stringConstant("McAfee")

event.deviceProduct=__stringConstant("WebWasher")

submessage.messageid.token=SubmessageIdToken

submessage.token=SubmessageToken

submessage.count=3

submessage[0].messageid=Requested

submessage[0].pattern.count=1

submessage[0].pattern[0].regex=URL: (\\w )://([^(\\/| )] ).*?\\swas (\\S ) by Web Reputation Filter from Rule: (.*?\\)) with Reputation: (.*?)at.*

#URL: (\w )://(.*?)([^(\/| )] ).*?\swas (\S ) by Web Reputation Filter from Rule: (.*?\)) with Reputation: (.*?)at .*

submessage[0].pattern[0].fields=event.deviceCustomString1,event.targetHostName,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3

submessage[0].pattern[0].extramappings=event.name\=__concatenate("Requested URL on ",$2," was ",$3)|event.deviceEventCategory\=__stringConstant("Reputation")

submessage[0].pattern[0].types=String,String,String,String,String

submessage[1].messageid=Access

submessage[1].pattern.count=1

submessage[1].pattern[0].regex=to (\\w )://([^(\\/| )] )(.*?\\s)was (\\w ) due to its category\\.\\(.*\\) Client-IP (\\d \\.\\d \\.\\d \\.\\d ) Virus name McAfeeGW: (.*)

#to (\w )://(.*?)(/\S ) was (\S ) .*?Client-IP (\d \.\d \.\d \.\d ).*?: (.*)

submessage[1].pattern[0].fields=event.deviceCustomString1,event.targetHostName,event.message,event.deviceAction,event.attackerAddress,event.deviceCustomString2

submessage[1].pattern[0].extramappings=event.name\=__concatenate("McAfee GW found ",$6," on ",$2)|event.deviceEventCategory\=__stringConstant("Virus")

submessage[1].pattern[0].types=String,String,String,String,IPAddress,String

submessage[2].pattern.count=1

submessage[2].pattern[0].regex=(.*)

submessage[2].pattern[0].fields=event.message

submessage[2].pattern[0].extramappings=event.name\=__stringConstant("Unparsed Event from McAfee WebWasher")

Comment List
Anonymous
Related Discussions
Recommended