# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. defensepro = { plugin_version = "1.4" info.1.manfacturer = "Radware" info.1.device = "DefensePro" info.1.version.1 = "" # 2008-06-16 - 1.0 - GMF - Initial implementation # 2008-06-20 - 1.1 - GMF - Enhanced for new fields # 2008-07-01 - 1.2 - GMF - Fixed bug--dates are in dd-mm-yyyy format, but were being handled as "auto" # 2009-01-14 - 1.3 - Filla - Enhanced log format for "source_ip:source_port" and "destioation_ip:destination_port" # 2010-06-03 - 1.4 - Benson - Fixed expression for last three digits, tested on RadWare DP-1020 / ApSolute OS:10.22-02.05:2.03.15 # The name of the log format log.format.format_label = "Radware DefensePro Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "DefensePro" # Log fields log.fields = { severity = "" radware_id = "" category = "" event_name = "" protocol = "" source_ip.type = "host" source_port = "" destination_ip = "" destination_port = "" physical_port = "" context = "" policy_name = "" event_type = "" packet_count = "" packet_bandwidth = "" vlan_tag = "" rpls_rd = "" rpls_tag = "" events = "" } # log.fields log.parsing_filters.parse = ` # 2007-03-10 07:15:34 Local6.Warning 192.168.1.3 DefensePro: 10-03-2007 07:17:34 WARNING 16 Anomalies "L4 port zero" UDP 12.34.56.78 0 98.76.54.32 2067 13 Regular "Packet Anomalies" occur 1 1 361 N/A medium forward # Dec 30 11:04:50 192.168.100.254 DefensePro: 30-12-2008 10:51:50 WARNING 72 Access "Access List" TCP 210.241.89.102:13644 211.79.150.179:2685 1 Regular "Drop-Foxy" occur 1 0 0 info drop # 2010-06-02 13:00:15 local3.warning 192.168.1.3 Jun 2 13:00:15 192.168.1.3 DefensePro: 02-06-2010 13:04:24 WARNING 1006 Anomalies "Anomaly-UDP-dest-port-0" UDP 172.17.1.1:3024 12.34.56.78:0 14 Regular "anom_1" occur 1 0 0 low drop if (matches_regular_expression(v.syslog_message, 'DefensePro: ([0-9-]+)-([0-9]+)-([0-9]+) ([0-9:]+) ([^ ]+) ([0-9]+) ([^ ]+) "([^"]+)" ([^ ]+) ([0-9.]+):([0-9]+) ([0-9.]+):([0-9]+) ([0-9]+) ([^ ]+) "([^"]+)" ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+) ([^ ]+) ([^ ]+)')) then ( set_collected_field('', 'date', $3 . '-' . $2 . '-' . $1); set_collected_field('', 'time', $4); set_collected_field('', 'severity', $5); set_collected_field('', 'radware_id', $6); set_collected_field('', 'category', $7); set_collected_field('', 'event_name', $8); set_collected_field('', 'protocol', $9); set_collected_field('', 'source_ip', $10); set_collected_field('', 'source_port', $11); set_collected_field('', 'destination_ip', $12); set_collected_field('', 'destination_port', $13); set_collected_field('', 'physical_port', $14); set_collected_field('', 'context', $15); set_collected_field('', 'policy_name', $16); set_collected_field('', 'event_type', $17); set_collected_field('', 'packet_count', $18); set_collected_field('', 'packet_bandwidth', $19); set_collected_field('', 'vlan_tag', $20); set_collected_field('', 'rpls_rd', $21); set_collected_field('', 'rpls_tag', $22); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); else if (matches_regular_expression(v.syslog_message, 'DefensePro: ([0-9-]+)-([0-9]+)-([0-9]+) ([0-9:]+) ([^ ]+) ([0-9]+) ([^ ]+) "([^"]+)" ([^ ]+) ([0-9.]+) ([0-9]+) ([0-9.]+) ([0-9]+) ([0-9]+) ([^ ]+) "([^"]+)" ([^ ]+) ([0-9]+) ([0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+)')) then ( set_collected_field('', 'date', $3 . '-' . $2 . '-' . $1); set_collected_field('', 'time', $4); set_collected_field('', 'severity', $5); set_collected_field('', 'radware_id', $6); set_collected_field('', 'category', $7); set_collected_field('', 'event_name', $8); set_collected_field('', 'protocol', $9); set_collected_field('', 'source_ip', $10); set_collected_field('', 'source_port', $11); set_collected_field('', 'destination_ip', $12); set_collected_field('', 'destination_port', $13); set_collected_field('', 'physical_port', $14); set_collected_field('', 'context', $15); set_collected_field('', 'policy_name', $16); set_collected_field('', 'event_type', $17); set_collected_field('', 'packet_count', $18); set_collected_field('', 'packet_bandwidth', $19); set_collected_field('', 'vlan_tag', $20); set_collected_field('', 'rpls_rd', $21); set_collected_field('', 'rpls_tag', $22); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { severity = "" radware_id = "" category = "" event_name = "" protocol = "" source_ip = "" source_port = "" location = "" destination_ip = "" destination_port = "" physical_port = "" context = "" policy_name = "" event_type = "" packet_count = "" packet_bandwidth = "" vlan_tag = "" rpls_rd = "" rpls_tag = "" } # database.fields # Log Filters log.filters = { } # log.filters database.numerical_fields = { events = { default = true entries_field = true } # events packet_count = { default = true } # packet_count packet_bandwidth = { default = false type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options report_groups = { date_time_group = "" severity = "" radware_id = "" category = "" event_name = "" protocol = "" source_ip = "" source_port = "" destination_ip = "" destination_port = "" location = "" physical_port = "" context = "" policy_name = "" event_type = "" packet_count = "" packet_bandwidth = "" vlan_tag = "" rpls_rd = "" rpls_tag = "" } # report_groups } # defensepro