# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. visonys_airlock = { plugin_version = "1.0" info.1.manfacturer = "Visonys" info.1.device = "Airlock" info.1.version.1 = "4.0" # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy # 13:40 09/01/2007 : 1.0Beta : gas : added new format re: # Alert 70-15100-000: Regular Request Information # For monitoring and statistics purposes, probably the most important alert message is the “regular request” message (Alert ID 70-15100-000), which is generated for each request processed by visonysAirlock. It is delivered in the following format: # - # The fields included have the following meanings: # IP # Source IP address of the request. # Example: 172.18.99.212 # Request # The request itself. # Example: “/public/index.html” # Session ID # The ID of the session on which the request was processed. # Example: “0022-5ec8528f-c9182f38-772312f3-2c1d8837” # Audit Token # Dynamic audit token of the current session that can be set by the authentication service. This field is ideally used for tracking the user information after authentication. # Example: “user:pmuster” # Validity # Specifies the validity of the request. It is either “valid” for recognized URLs, “no match” for unrecognized URLs or “denied” for requests that do not have the needed credentials. # Creation # It is either “new session created” if the session was created upon this request or empty if the request is processed on an existing session. # The name of the log format log.format.format_label = "Visonys Airlock Log Format" log.miscellaneous.log_data_type = "http_access" log.miscellaneous.log_format_type = "proxy_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = '^[A-Za-za-z]+ [0-9]+ [0-9:]+ \\([-0-9]+\\) [0-9.]+ - \\"[^"]+\\" \\"[^"]+\\" \\"[^"]+\\" \\"[^"]+\\" \\"[^"]+\\" ' #log.format.parsing_regular_expression = '^([A-Za-za-z]+ [0-9]+) ([0-9:]+) \\(([-0-9]+)\\) ([0-9.]+) - \\"([^"]+)\\" \\"([^"]+)\\" \\"([^"]+)\\" \\"([^"]+)\\" \\"*([^"]*)\\"* \\"*([^"]*)\\"*$' # Treat fields surrounded by square brackets (e.g. the date/time field) as a single quoted field. #log.format.treat_brackets_as_quotes = "true" #log.format.common_log_format = "true" log.format.ignore_format_lines = "true" # The format of dates and times in this log log.format.date_format = "mmm dd" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { date.type = "date" time.type = "time" alert_id = "" host.type = "host" page.type = "page" parameters = "" mapping = "" session_id = "" audit_token = "" validity = "" creation = "" filter_notification = "" } # log.fields # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" file_type = "" domain_description = "" location = "" alert_id = "" host = "" page = "" parameters = "" mapping = "" session_id = "" audit_token = "" validity = "" creation = "" filter_notification = "" } # database.fields log.parsing_filters.parse = ` # desogned to match a 70-15100-000 alert if (matches_regular_expression(current_log_line(), '^([A-Za-za-z]+ *[0-9]+) ([0-9:]+) \\(([-0-9]+)\\) ([0-9.]+) - \\"([^"]+)\\" \\"([^"]+)\\" \\"([^"]+)\\" \\"([^"]+)\\" \\"*([^"]*)\\"* \\"*([^"]*)\\"*$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'alert_id', $3); set_collected_field('', 'host', $4); set_collected_field('', 'page', $5); set_collected_field('', 'mapping', $6); set_collected_field('', 'session_id', $7); set_collected_field('', 'audit_token', $8); set_collected_field('', 'validity', $9); set_collected_field('', 'creation', $10); accept_collected_entry('', false); ); # designed to match a 70-15401-100 alert - Invalid request else if (matches_regular_expression(current_log_line(), '^([A-Za-za-z]+ *[0-9]+) ([0-9:]+) \\(([-0-9]+)\\) visonysAirlock filter notification: ([^:]*): Request \\"([^"]+)\\" on mapping \\"([^"]+)\\" with parameters \\"([^"]+)\\", HTTP method \\"([^"]+)\\", content type \\"[^"]+\\" on session \\"([^"]+)\\" from ([0-9.]+) with audit token \\"([^"]+)\\"$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'alert_id', $3); set_collected_field('', 'filter_notification', $4); set_collected_field('', 'page', $5); set_collected_field('', 'mapping', $6); set_collected_field('', 'parameters', $7); set_collected_field('', 'operation', $8); set_collected_field('', 'session_id', $9); set_collected_field('', 'host', $10); set_collected_field('', 'audit_token', $11); accept_collected_entry('', false); ); # designed to match a 70-15401-100 alert - Deny rule else if (matches_regular_expression(current_log_line(), '^([A-Za-za-z]+ *[0-9]+) ([0-9:]+) \\(([-0-9]+)\\) visonysAirlock filter notification: (Deny rule) \\"([^"]+)\\" matched with parameter \\"([^"]+)\\"$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'alert_id', $3); set_collected_field('', 'filter_notification', $4 . ' - ' . $5); set_collected_field('', 'parameters', $6); accept_collected_entry('', false); ); ` # Log Filters log.filters = { remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(page, '?')) then page = substr(page, 0, index(page, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then page = substr(page, 0, last_index(page, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "page" sessions_visitor_id_field = "host" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views visitors = { label = "$lang_stats.field_labels.visitors" default = true requires_log_field = true log_field = "hostname" type = "unique" display_format_type = "integer" } # visitors } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { page = true parameters = true mapping = true file_type = true } visitor_demographics_group = { host = true domain_description = true location = true } other_group = { filter_notification = true alert_id = true session_id = true audit_token = true validity = true creation = true } } # report_groups } # create_profile_wizard_options not_supported = { } # not_supported } # visonys_airlock