# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
barracuda_spyware_firewall = {

  plugin_version = "1.1.3"

  info.1.manufacturer = "Barracuda"
  info.1.device = "Spyware Filter"
  info.1.version = ""

  # 2006-04-30 - 1.0 - GMF - Initial implementation.
  # 2007-09-03 - 1.0.1 - GMF - Added support for longer format lines with domain, category, and username.
  # 2008-04-28 - 1.1 - KBB - Increased autodetect lines, removed ^ so that httpscan doesn't have
  # to be at the beginning of a line. Added action field and recognize sniff as well as httpscan, since
  # the formats are the same, and added Web Filter to name since Barracuda changed the name.
  # 2008-11-06 - 1.1.1 - MSG - added support for optional underbar in http_scan
  # 2009-04-23 - 1.1.2 - GMF - Added support for tracking of ACTION TYPE field.
  # 2009-12-21 - 1.1.3 - KBB - Added support for [A-Z]+ instead of a hex number after the url. This
  # field is ignored because it is always the same in the sample we have (BYF).
  # 2010-10-01 - 1.1.4 - MSG - Edited info lines


  # The name of the log format
  log.format.format_label = "Barracuda Spyware Firewall / Web Filter Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  #<164>httpscan[4724]: 1206346527 1 188.188.188.188 66.66.66.66 text/html 122.122.122.122 http://www.google.com.my/ 498 3767734cc16059e52447ee498d31f822 ALLOWED CLEAN  2 1 0 5 3 (-) 1 search-engines-portals 0 - 0 google.com.my search-engines-portals ANON  
  #2009-11-02 07:47:28	Local4.Warning	10.10.66.66	http_scan[22116]: 1257166048 1 10.10.66.65 96.166.86.36 image/jpeg 10.10.70.181 http://xyz.abc.com/a/animals/geese_a_laying.jpg 15588 BYF ALLOWED CLEAN  2 0 0 0 0 (-) 0 - 0 - 0 abc.com search-engines-portals [ldap0:latka_g]
  log.format.autodetect_regular_expression = "(sniff|http_?scan)\\[[0-9]+\\]: [0-9]+ [0-9]+ [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ "
  log.format.autodetect_lines = 20000

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

#    daemon = ""
#    pid = ""
    action = ""
    action_type = ""
    timestamp = ""
    source_ip.type = "host"
    destination_ip = ""
    mime_type = ""
    url.type = "page"
    bytes = ""
    result = ""

    domain = ""
    category = ""
    username = ""

    details = ""

    events = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `
#2009-11-02 07:47:28	Local4.Warning	10.10.66.66	http_scan[22116]: 1257166048 1 10.10.66.65 96.166.86.36 image/jpeg 10.10.70.181 http://xyz.abc.com/a/animals/geese_a_laying.jpg 15588 BYF ALLOWED CLEAN  2 0 0 0 0 (-) 0 - 0 - 0 abc.com search-engines-portals [ldap0:latka_g]
if (matches_regular_expression(v.syslog_message, '(sniff|http_?scan)\\\\[[0-9]+\\\\]: ([0-9]+) [0-9]+ ([0-9.]+) ([0-9.]+) ([^ ]+) [0-9.]+ ([^ ]+) ([0-9]+) ([0-9a-f]+|[A-Z]+) (.*)$')) then (

  set_collected_field('', 'action', $1);
  set_collected_field('', 'date', normalize_date($2, 'seconds_since_jan1_1970'));
  set_collected_field('', 'time', normalize_time($2, 'seconds_since_jan1_1970'));
  set_collected_field('', 'source_ip', $3);
  set_collected_field('', 'destination_ip', $4);
  set_collected_field('', 'mime_type', $5);
  set_collected_field('', 'url', $6);
  set_collected_field('', 'bytes', $7);
  v.message = $9;

  # e.g. ALLOW CLEAN
  if (matches_regular_expression(v.message, '^([A-Z]+ [A-Z]+)$')) then (
    set_collected_field('', 'result', $1);
  );

  # e.g. ALLOWED CLEAN  2 0 0 0 0 - 0 - 0 - 0 mydomain.com computing-technology ldap0:BOB
  if (matches_regular_expression(v.message, '^([A-Z]+ [A-Z]+)  [0-9]+ [0-9]+ [0-9]+ ([0-9]+) [0-9]+ [^ ]+ [0-9]+ [^ ]+ [0-9]+ [^ ]+ [0-9]+ ([^ ]+) ([^ ]+) ([^ ]+)')) then (
    set_collected_field('', 'result', $1);
    set_collected_field('', 'action_type', $2);
    set_collected_field('', 'domain', $3);
    set_collected_field('', 'category', $4);
    set_collected_field('', 'username', $5);
  );

  # e.g. BLOCKED URL [Content filter blocking category "advertisement-pop-ups":pagead2.googlesyndication.com]
  else if (matches_regular_expression(v.message, '^([A-Z]+ [A-Z]+) \\\\[([^]]*)\\\\]$')) then (
    set_collected_field('', 'result', $1);
    set_collected_field('', 'details', $2);
  );

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);

);
`

  # Database fields
  database.fields = {

    action = ""
    action_type = ""
    source_ip = ""
    location = ""
    destination_ip = ""
    mime_type = ""
    url = ""
    file_type = ""
    result = ""
    domain = ""
    category = ""
    username = ""
    details = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
    }

    bytes = {
      default = true
      type = "float"
      display_format_type = "bandwidth"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

} # barracuda_spyware_firewall