FlexConnector: Barracuda Web Application Firewall (WAF)

Document created by manuel.g on Aug 30, 2012Last modified by manuel.g on Apr 23, 2014
Version 7Show Document
  • View in full screen mode

Hi,

 

We get the WAF logs (Access, Firewall, Audit) via syslog, so I wrote this connector.

Latest Update: 2012/09/11

 

 

#Barracuda Web Application Firewall
#Syslog-Format: Default
do.unparsed.events=true
regex=\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}.\\d{3} \\+\\d{4}  \\S+ (\\w+) (.*)
token.count=2
token[0].name=SubmessageIdToken
token[0].type=String
token[1].name=SubmessageToken
token[1].type=String
 
event.deviceReceiptTime=_SYSLOG_TIMESTAMP
event.deviceHostName=_SYSLOG_SENDER
event.deviceVendor=__stringConstant("Barracuda")
event.deviceProduct=__stringConstant("Web Application Firewall")
event.deviceEventCategory=SubmessageIdToken
 
#severity.map.veryhigh.if.deviceSeverity=
severity.map.high.if.deviceSeverity=ALER
severity.map.medium.if.deviceSeverity=WARN
severity.map.low.if.deviceSeverity=INFO
severity.map.unknown.if.deviceSeverity=*
 
submessage.messageid.token=SubmessageIdToken
submessage.token=SubmessageToken
 
submessage.count=4
 
submessage[0].messageid=TR
submessage[0].pattern.count=1
submessage[0].pattern[0].regex=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\S+ \\S+ (\\w+) (\\w+) (\\S+) \\S+ (\\d+) \\d+ \\d+ \\d+ \\d+ (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) \\d+ \\S+ \\w+ \\w+ \\w+ (\\w+) (\\S+) \\S+ \\S+ .*
submessage[0].pattern[0].fields=event.targetAddress,event.targetPort,event.attackerAddress,event.attackerPort,event.requestMethod,event.applicationProtocol,event.targetHostName,event.deviceCustomNumber1,event.destinationAddress,event.destinationPort,event.deviceCustomString3,event.deviceCustomString5
submessage[0].pattern[0].types=IPAddress,Integer,IPAddress,Integer,String,String,String,Integer,IPAddress,Integer,String,String
submessage[0].pattern[0].extramappings=event.name\=__concatenate($5," ",$6," ",$7)|event.deviceCustomString4\=$7

 submessage[1].messageid=WF
#Severity Level|Attack Description|Client IP|Client Port|Application IP|Application Port|Rule ID|Rule Type|Action Taken|Follow-up Action|Attack Details|Method|URL|Protocol|Session ID|User Agent|Proxy IP|Authenticated User|Referrer|Attack ID|Attack Group
submessage[1].pattern.count=9
submessage[1].pattern[0].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+?)(\\?\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+
submessage[1].pattern[0].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[0].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[1].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+
submessage[1].pattern[1].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[1].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[2].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+
submessage[1].pattern[2].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[2].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[3].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+?)(\\?\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ \\S+
submessage[1].pattern[3].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[3].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[4].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ \\S+
submessage[1].pattern[4].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[4].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[5].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ \\S+
submessage[1].pattern[5].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId
submessage[1].pattern[5].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String
submessage[1].pattern[6].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+?)(\\?\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ (\\S+) (\\S+)
submessage[1].pattern[6].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[6].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[7].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+?/)(\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ (\\S+) (\\S+)
submessage[1].pattern[7].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.deviceCustomString5,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[7].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,String,Integer,String
submessage[1].pattern[8].regex=(\\w+) (\\w+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) (\\d{1,5}) (\\S+) (\\w+) (\\w+) (\\w+) \\[(.*)\\] (\\w+) (\\S+) (\\w+) \\S+ "{1,4}(.*)?""{0,3} \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} \\d{1,5} (\\S+) \\S+ (\\S+) (\\S+)
submessage[1].pattern[8].fields=event.deviceSeverity,event.name,event.attackerAddress,event.attackerPort,event.targetAddress,event.targetPort,event.message,event.deviceCustomString1,event.deviceAction,event.deviceCustomString2,event.deviceCustomString3,event.requestMethod,event.deviceCustomString4,event.applicationProtocol,event.attackerProcessName,event.attackerUserId,event.deviceEventClassId,event.deviceProcessName
submessage[1].pattern[8].types=String,String,IPAddress,Integer,IPAddress,Integer,String,String,String,String,String,String,String,String,String,String,Integer,String

 submessage[2].messageid=AUDIT
#Admin Name|Client Type|Login IP|Login Port|Transaction Type|Transaction ID|Command Name|Change Type|Object Type|Object Name|Variable|Old Value|New Value|Additional Data
submessage[2].pattern.count=2
submessage[2].pattern[0].regex=(\\S+) (\\S+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S+) \\d+\\s+(\\w+) (\\S+) (\\S+) \\S+ \\S+ \\S+ \\[.*?\\]
submessage[2].pattern[0].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message,event.deviceCustomString2,event.deviceCustomString3
submessage[2].pattern[0].types=String,String,IPAddress,String,String,String,String
submessage[2].pattern[1].regex=(\\S+) (\\S+) (\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) \\d{1,5} (\\S+) \\d+\\s+\\w+ \\S+ \\S+ \\S+ \\S+ \\[(.*)\\]
submessage[2].pattern[1].fields=event.sourceUserName,event.deviceCustomString1,event.sourceAddress,event.name,event.message
submessage[2].pattern[1].types=String,String,IPAddress,String,String

 submessage[3].pattern.count=1
submessage[3].pattern[0].regex=(.*)
submessage[3].pattern[0].fields=event.message
submessage[3].pattern[0].extramappings=event.name\=__stringConstant("Unparsed Event from Barracuda Web Application Firewall")

1 person found this helpful

Outcomes