# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sidewinder_firewall = { # vendor info info.1.manfacturer = "Secure Computing Corporation" info.1.device = "Secure Firewall (Sidewinder)" info.1.version.1 = "7" plugin_version = "1.4" # 2007-01-24 - 1.0beta - KBB - initial creation from sidewinder_firewall.cfg - support for new format # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy and renamed from beta_sidewinder_firewall.cfg # 2008-04-22 - 1.1 - GMF - Fixed bug which caused incorrect dates when there was a date= field listed. # 2009-01-29 - 1.1.1 - GMF - Added a location field (GeoIP tracking of srcip) # 2008-08-05 - 1.2 - gas - Date= lines only appear in SEF exported logs # (http://www.securecomputing.com/pdf/si_70_sef_an.pdf). Fixed "strip additional syslog entry" regex # to support lines without extra data info/syslog. Added collection of fac, area, type, pri # 2009-07-03 - 1.3 - MSG/GMF - Added "url" to the database fields # 2009-12-29 - 1.4 - KBB - Merged changes from Sawmill 7 and Sawmill 8 which evolved separately. # Specifically, Graham's change of 2008-08-05 was not in v8, which caused problems for a user. # The name of the log format log.format.format_label = "Sidewinder Firewall Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "srcip(: |=)[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+[, ]" log.format.autodetect_lines = 200 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" log.format.allow_spaces_in_listed_field_values = "true" # Log fields log.fields = { fac = "" area = "" type = "" pri = "" pid = "" ruid = "" euid = "" pgid = "" fid = "" logid = "" cmd = "" domain = "" edomain = "" srcip.type = "host" srcport = "" srcburb = "" dstip = "" dstport = "" dstburb = "" protocolname = "" protocol = "" service_name = "" status = "" netsessid = "" request_command = "" url.type = "page" bytes_written_to_client = "" bytes_written_to_server = "" ipkt = "" opkt = "" interface = "" agent_type = "" user_name = "" auth_method = "" acl_id = "" cache_hit = "" acl_position = "" request_status = "" start_time = "" information = "" cpu_data = "" dsthostname = "" file = "" filedom = "" filetyp = "" load_data = "" mbuf_data = "" op = "" originator_domain = "" permgranted = "" permwanted = "" real_data = "" reason = "" recipient_domain = "" result = "" rule_name = "" srcdmn = "" srchostname = "" srcservice = "" tgtdmn = "" udb_action = "" udb_admin = "" udb_class = "" udb_user = "" virt_data = "" } # log.fields log.parsing_filters.parse = ` #1 this from kiwi/iso: Dec 22 00:10:43 auditd: Dec 21 16:10:43 2006 GMT f_kern_tcp a_nil_area t_netprobe p_major srcip: 255.255.255.255 dstip: 255.255.255.254 protocolname: tcp srcburb: external srcport: 20480 dstport: 1433 #2 this from unix_syslog: auditd: Aug 27 04:00:02 2008 UTC f_http_proxy a_libproxycommon t_nettraffic p_major pid: 3691 ruid: 0 euid: 0 pgid: 3691 logid: 0 cmd: 'httpp' domain: htpp edomain: htpp hostname: ifw1.net.blah.blah.com event: proxy traffic end service_name: http netsessid: 48b4d123123eb2d6 srcip: 123.123.123.123 srcport: 48866 srcburb: internal protocol: 6 dstip: 123.123.123.123 dstport: 80 dstburb: external bytes_written_to_client: 1115 bytes_written_to_server: 471 acl_id: Proxy cache_hit: 0 request_status: 0 start_time: Wed Aug 27 06:00:02 2008 # strip additional syslog entry (one possible format) ### 05/09/2008 10:35:16 : 1.2 : gas : this ruins parsing of #2 above, so am changing it to support both line types if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] [ 0-9]{0,1}[0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ *(.*)$')) then ( v.syslog_message = $1; ); # get date and time from message # added collection of fac, area, type, pri from this line if (matches_regular_expression(v.syslog_message, '([A-Z][a-z][a-z] [ 0-9]{0,1}[0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([0-9]{4}) [A-Z]{3} [0-9:+-]* ([^:=]*) ([_a-z]+[:=].*)$')) then ( set_collected_field('', 'date', $1 . " " . $3); split($4, ' ', 'v.fields'); set_collected_field('', 'fac', v.fields.0); set_collected_field('', 'area', v.fields.1); set_collected_field('', 'type', v.fields.2); set_collected_field('', 'pri', v.fields.3); v.syslog_message = $5; ); # remove multi-line messages and other trailing messages that break the pattern # remove or fix field names with spaces #2006-12-22 00:06:33 Local3.Error 192.168.99.99 Dec 22 00:09:33 auditd: Dec 21 16:09:33 2006 GMT f_system a_hmon t_geninfo p_major pid: 21235 ruid: 0 euid: 0 pgid: 21235 fid: 0 logid: 0 cmd: 'monitord' domain: HMON edomain: HMON +|health monitor|MON_INFO|MAJOR|SYS|HMONINFO=Health Monitor data followsuptime_util: 84 days 7:23load_avg: 1.09mem_percent: 12.46cpu_percent: 100tcp_count: 29udp_count: 12proxy_info: snmpp 4proxy_info: (....) if (matches_regular_expression(v.syslog_message, '^(.*) \\\\+\\\\|[a-z]')) then ( v.syslog_message = $1; ); else if (matches_regular_expression(v.syslog_message, '^(.*) =IP Filter')) then ( v.syslog_message = $1; ); else if (matches_regular_expression(v.syslog_message, '^(.*) perm wanted')) then ( v.syslog_message = $1; ); #2006-12-22 00:12:05 Local3.Error 192.168.0.254 Dec 22 00:15:05 auditd: Dec 21 16:25:58 2006 GMT f_mail a_server t_nettraffic p_major pid: 27821 ruid: 0 euid: 0 pgid: 27821 fid: 0 logid: 0 cmd: 'sendmail' domain: mta2 edomain: mta2 srcip: 233.233.233.233 srcport: 25 srcburb: external dstip: 192.168.233.233 dstport: 25 dstburb: internal protocol: 6 bytes_written_to_client: 0 bytes_written_to_server: 38658 service_name: sendmail(2) reason: Normal delivery of message kBLGPXvg027819 status: conn_close acl_id: smtp_all cache_hit: 0 auth_method: N/A remote_logname: jack user_name: recipient: jill request_command: SMTP Mail: ID: kBLGPXvg027819 Originator domain: here.com Recipient domain: there.com Next hop: hello.com start_time: Fri Dec 22 00:25:58 2006 netsessid: 458ab596000bf609 else if (contains(v.syslog_message, 'Originator domain')) then ( replace_first(v.syslog_message, 'Orginator domain:', 'orginator_domain:'); replace_first(v.syslog_message, 'Recipient domain:', 'recipient_domain\\\\n:'); ); else ( # remove 2nd ruid and trailing message after it v.first_ruid_index = index(v.syslog_message, ' ruid:'); if (v.first_ruid_index != -1) then ( v.after_ruid = substr(v.syslog_message, v.first_ruid_index + 6); v.second_ruid_index = index(v.after_ruid, ' ruid:'); if (v.second_ruid_index != -1) then ( v.syslog_message = substr(v.syslog_message, 0, v.first_ruid_index + v.second_ruid_index + 6); ); ); ); ## e.g. pid: 3691 ruid: 0 euid: 0 pgid: 3691 logid: 0 cmd: 'httpp' domain: htpp edomain: htpp hostname: blah.blah.blah.blah.com event: proxy traffic end service_name: http netsessid: 48b4d123123eb2d6 srcip: 123.123.123.123 srcport: 48866 srcburb: internal protocol: 6 dstip: 123.123.123.123 dstport: 80 dstburb: external bytes_written_to_client: 1115 bytes_written_to_server: 471 acl_id: Proxy cache_hit: 0 request_status: 0 start_time: Wed Aug 27 06:00:02 2008 if (matches_regular_expression(v.syslog_message, '^[_a-z]+:')) then ( collect_listed_fields('', v.syslog_message, ' ', ': ', ''); ); else ( # if (matches_regular_expression(v.syslog_message, '^[_a-z]+=')) then ( #) collect_listed_fields('', v.syslog_message, ',', '=', ''); # e.g. # 2008-04-15 00:00:19 Local0.Error 192.168.254.254 Apr 15 00:00:24 auditd: date="Apr 14 16:00:24 2008 GMT",fac=f_wwwproxy,area=a_libproxycommon,type=t_nettraffic,pri=p_major,pid=1131,ruid=0,euid=0,pgid=1132,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=something.somewhere.com,srcip=12.34.56.78,srcport=33458,srcburb=external,dstip=192.168.0.1,dstport=80,dstburb=SSN,protocol=6,bytes_written_to_client=0,bytes_written_to_server=1178,service_name=httpp,status=conn_close,acl_id=E_to_S_WWW_12.34.56.78_ATM,cache_hit=1,request_status=0,start_time="Tue Apr 15 00:00:24 2008",netsessid=48037f980005a583 # If the date field was just overwritten by a date field in the comma-separated list, normalize it. if (matches_regular_expression(get_collected_field('', 'date'), '^([A-Z][a-z][a-z] +[0-9]+) ([0-9:]+) ([0-9][0-9][0-9][0-9])')) then ( set_collected_field('', 'date', normalize_date($1 . ' ' . $3, 'auto')); set_collected_field('', 'time', normalize_time($2, 'auto')); ); ); if ((get_collected_field('', 'srcip') ne '(empty)') or (get_collected_field('', 'pid') ne '(empty)')) then ( accept_collected_entry('', false); ); else 'reject' ` # Database fields database.fields = { fac = "" area = "" type = "" pri = "" srcip = "" location = "" srcport = "" srcburb = "" dstip = "" dstport = "" dstburb = "" protocolname = "" pid = "" ruid = "" euid = "" pgid = "" fid = "" logid = "" cmd = "" domain = "" edomain = "" protocol = "" service_name = "" status = "" netsessid = "" request_command = "" interface = "" agent_type = "" user_name = "" auth_method = "" acl_id = "" cache_hit = "" acl_position = "" url = "" request_status = "" # start_time = "" information = "" cpu_data = "" dsthostname = "" file = "" filedom = "" filetyp = "" load_data = "" mbuf_data = "" op = "" originator_domain = "" permgranted = "" permwanted = "" real_data = "" reason = "" recipient_domain = "" result = "" rule_name = "" srcdmn = "" srchostname = "" srcservice = "" tgtdmn = "" udb_action = "" udb_admin = "" udb_class = "" udb_user = "" virt_data = "" } # database.fields # Log Filters log.filters = { simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "srcip" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { label = "$lang_stats.field_labels.events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # events visitors = { requires_log_field = true log_field = "srcip" type = "unique" display_format_type = "integer" } # visitors bytes_written_to_client = { type = "float" display_format_type = "bandwidth" } # bytes_written_to_client bytes_written_to_server = { type = "float" display_format_type = "bandwidth" } # bytes_written_to_server ipkt = "" opkt = "" } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" fac = true area = true type = true pri = true source_group = { srcip = true location = true srcport = true srcburb = true srcdmn = true srchostname = true srcservice = true originator_domain = true } destination_group = { dstip = true dstport = true dstburb = true dsthostname = true recipient_domain = true } content_group = { url = true file = true filedom = true filetyp = true } other_group = { pid = true ruid = true euid = true pgid = true fid = true logid = true cmd = true domain = true edomain = true protocolname = true protocol = true service_name = true status = true reason = true netsessid = true request_command = true interface = true agent_type = true user_name = true auth_method = true acl_id = true cache_hit = true acl_position = true request_status = true information = true cpu_data = true real_data = true virt_data = true load_data = true mbuf_data = true op = true permgranted = true permwanted = true result = true rule_name = true tgtdmn = true udb_action = true udb_admin = true udb_class = true udb_user = true } # other group } # report_groups } # create_profile_wizard_options } # sidewinder_firewall