FlexConnector: McAfee WebWasher

Document created by manuel.g on Aug 30, 2012Last modified by manuel.g on Aug 30, 2012
Version 2Show Document
  • View in full screen mode

Hi,

 

Our webwashers send the events, where the Web Reputation blocks or logs something or the AV scan detects a virus, via syslog. So, I wrote this connector for us. Maybe it's okay for you, otherwise feel free to modify this for you.

 

do.unparsed.events=true
regex=mwg: (\\S+) (.*)
#regex=\\w+ \\d+ \\d+:\\d+:\\d+ \\S+ mwg: (\\S+) (.*)
#Jun 18 12:56:27 webwasher mwg:
token.count=2
token[0].name=SubmessageIdToken
token[0].type=String
token[1].name=SubmessageToken
token[1].type=String


event.deviceReceiptTime=_SYSLOG_TIMESTAMP
event.deviceHostName=_SYSLOG_SENDER
event.deviceVendor=__stringConstant("McAfee")
event.deviceProduct=__stringConstant("WebWasher")


submessage.messageid.token=SubmessageIdToken
submessage.token=SubmessageToken


submessage.count=3


submessage[0].messageid=Requested
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=URL: (\\w+)://([^(\\/| )]+).*?\\swas (\\S+) by Web Reputation Filter from Rule: (.*?\\)) with Reputation: (.*?)at.*
#URL: (\w+)://(.*?)([^(\/| )]+).*?\swas (\S+) by Web Reputation Filter from Rule: (.*?\)) with Reputation: (.*?)at .*
submessage[0].pattern[0].fields=event.deviceCustomString1,event.targetHostName,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3
submessage[0].pattern[0].extramappings=event.name\=__concatenate("Requested URL on ",$2," was ",$3)|event.deviceEventCategory\=__stringConstant("Reputation")
submessage[0].pattern[0].types=String,String,String,String,String


submessage[1].messageid=Access
submessage[1].pattern.count=1
submessage[1].pattern[0].regex=to (\\w+)://([^(\\/| )]+)(.*?\\s)was (\\w+) due to its category\\.\\(.*\\) Client-IP (\\d+\\.\\d+\\.\\d+\\.\\d+) Virus name McAfeeGW: (.*)
#to (\w+)://(.*?)(/\S+) was (\S+) .*?Client-IP (\d+\.\d+\.\d+\.\d+).*?: (.*)
submessage[1].pattern[0].fields=event.deviceCustomString1,event.targetHostName,event.message,event.deviceAction,event.attackerAddress,event.deviceCustomString2
submessage[1].pattern[0].extramappings=event.name\=__concatenate("McAfee GW found ",$6," on ",$2)|event.deviceEventCategory\=__stringConstant("Virus")
submessage[1].pattern[0].types=String,String,String,String,IPAddress,String


submessage[2].pattern.count=1
submessage[2].pattern[0].regex=(.*)
submessage[2].pattern[0].fields=event.message
submessage[2].pattern[0].extramappings=event.name\=__stringConstant("Unparsed Event from McAfee WebWasher")


Outcomes