barracuda_waf = {

  plugin_version = "1.0.1"

  info.1.manfacturer = "Barracuda"
  info.1.device = "Web Application Firewall"
  info.1.version = "7.4.0.022"

  # 2010-07-30 - 1.0.0 - Benson - Initial implementation.
  # 2010-08-19 - 1.0.1 - Benson - Supports obj_name field.
  # 2010-10-10 - 1.0.2 - MSG - Edited info lines

  # The name of the log format
  log.format.format_label = "Barracuda WAF Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  #2010-07-29	12:08:20	Local5.Alert	192.168.172.201	2010-07-29 12:08:26.674 +0800  Barracuda WF ALER CROSS_SITE_SCRIPTING_IN_PARAM 192.168.172.121 2129 192.168.172.202 80 security-policy GLOBAL DENY NONE [type="cross-site-scripting" pattern="script-tag" token="<script>" Parameter="123" value="<script>alert(document.cookie)</script>"] GET www.foobar.com.tw/123.asp?123=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)" 192.168.172.121 2129 "-" "-" 
  log.format.autodetect_regular_expression = "  [^ ]+ WF "
  log.format.autodetect_lines = 2000

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

#    time_stamp = ""
    obj_name = ""
    log_type = ""
#    severity_level = ""
    attack_description = ""
    client_ip.type = "host"
    client_port = ""
    application_ip = ""
    application_port = ""
    rule_id = ""
    rule_type = ""
    action_taken = ""
    follow_up = ""
    attack_details = ""
    method = ""
    url = ""
    protocol = ""
    session_id = ""
    user_agent = ""
    proxy_ip = ""
    proxy_port = ""
    authenticated_user = ""
    referer = ""

    events = ""
    
  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

#2010-07-29 12:08:26.845 +0800  Barracuda WF ALER CROSS_SITE_SCRIPTING_IN_PARAM 192.168.172.121 2130 192.168.172.202 80 security-policy GLOBAL DENY NONE [type="cross-site-scripting" pattern="script-tag" token="<script>" Parameter="123" value="<script>alert(document.cookie)</script>"] GET www.foobar.com.tw/123.asp?123=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)" 192.168.172.121 2130 "-" "-" 
if (matches_regular_expression(v.syslog_message, '([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9.]+) ([0-9]+) ([0-9.]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) \\\\[([^]]+)\\\\] ([^ ]+) ([^ ]+) ([^ ]+) "([^"]+)" "([^"]+)" ([0-9.]+) ([0-9]+) "([^"]+)" "([^"]+)"')) then (
  set_collected_field('', 'obj_name', $1);
  set_collected_field('', 'log_type', $2);
#  set_collected_field('', 'severity_level', $3);
  set_collected_field('', 'attack_description', $4);
  set_collected_field('', 'client_ip', $5);
  set_collected_field('', 'client_port', $6);
  set_collected_field('', 'application_ip', $7);
  set_collected_field('', 'application_port', $8);
  set_collected_field('', 'rule_id', $9);
  set_collected_field('', 'rule_type', $10);
  set_collected_field('', 'action_taken', $11);
  set_collected_field('', 'follow_up', $12);
  set_collected_field('', 'attack_details', $13);
  set_collected_field('', 'method', $14);
  set_collected_field('', 'url', $15);
  set_collected_field('', 'protocol', $16);
  set_collected_field('', 'session_id', $17);
  set_collected_field('', 'user_agent', $18);
  set_collected_field('', 'proxy_ip', $19);
  set_collected_field('', 'proxy_port', $20);
  set_collected_field('', 'authenticated_user', $21);
  set_collected_field('', 'referer', $22);

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);

);
`

  # Database fields
  database.fields = {

#    time_stamp = ""
    obj_name = ""
    log_type = ""
#    severity_level = ""
    attack_description = ""
    client_ip = ""
    client_port = ""
    location = ""
    application_ip = ""
    application_port = ""
    rule_id = ""
    rule_type = ""
    action_taken = ""
    follow_up = ""
    attack_details = ""
    method = ""
    url = ""
    protocol = ""
    session_id = ""
    user_agent = ""
    proxy_ip = ""
    proxy_port = ""
    authenticated_user = ""
    referer = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
    }

  } # database.numerical_fields

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
    } # report_groups

  } # create_profile_wizard_options

    date_time_group = ""

    report_groups = {
      obj_name = ""
      log_type = ""
#      severity_level = ""
      attack_description = ""
      client_ip = ""
      client_port = ""
      location = ""
      application_ip = ""
      application_port = ""
      rule_id = ""
      rule_type = ""
      action_taken = ""
      follow_up = ""
      attack_details = ""
      method = ""
      url = ""
      protocol = ""
      session_id = ""
      user_agent = ""
      proxy_ip = ""
      proxy_port = ""
      authenticated_user = ""
      referer = ""

    } # report_groups

} # barracuda_waf