# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. interscan_web_security_suite = { plugin_version = "1.0.1" # 2007-09-11 - 1.0 - KBB - added version number and changed file name from # beta_interscan_web_security_suite.cfg # 2011-01-07 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "TrendMicro" info.1.device = "Interscan Web Security Suite" info.1.version.1 = "" # The name of the log format log.format.format_label = "Interscan Web Security Suite" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^Date: [0-9]+/[0-9]+/[0-9][0-9] [0-9]+:[0-9][0-9]:[0-9][0-9] [AP]M$") or matches_regular_expression(volatile.log_data_line, "^[0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [A-Z]+[-+][0-9][0-9]:[0-9][0-9] <[0-9]+> IWSS-HTTP Daemon starting") ` log.format.autodetect_lines = "100" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Use parsing filters to parse this log log.format.parse_only_with_filters = "true" # Log fields log.fields = { event_type = "" # access date = "" time = "" method = "" server = "" user.type = "host" serverip = "" domain = "" content_type = "" content_length = "" path = { type = "page" hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # path operation = "" http_accesses = "" # url_blocking blocked_url = { type = "hierarchical" hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # blocked_url rule = "" opp_id = "" scan_type = "" content_category = "" category = "" url_filtering_events_url_blocking = "" # virus from = "" to = "" file = "" action = "" virus = "" viruses = "" # http trend_category = "" sub_category = "" url_filtering_events_http = "" } # log.fields log.parsing_filters.parse = ` # Accept on dash lines if (starts_with(current_log_line(), '----------------------------------')) then ( if (get_collected_field('', 'blocked_url') ne '(empty)') then ( set_collected_field('', 'url_filtering_events_url_blocking', 1); set_collected_field('', 'event_type', 'blocked URL'); ); else if (get_collected_field('', 'virus') ne '(empty)') then ( set_collected_field('', 'viruses', 1); set_collected_field('', 'event_type', 'virus'); ); else ( set_collected_field('', 'http_accesses', 1); set_collected_field('', 'event_type', 'HTTP access'); ); accept_collected_entry('', false); ); # Extract date/time fields of "access" format separately # The -* is here (and this is "if" rather than "else if" because the divider sometimes doesn't have a trailing CR, # so the ---- accept line and the Date line are on the same line. if (matches_regular_expression(current_log_line(), '^-*Date: ([^ ]+) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ) # Extract any other field in "access" format else if (matches_regular_expression(current_log_line(), '^([^:]+): (.*)$')) then ( v.fieldname = $1; v.fieldname = lowercase(v.fieldname); v.fieldname = replace_all(v.fieldname, '-', '_'); v.fieldname = replace_all(v.fieldname, ' ', '_'); if (v.fieldname eq 'url') then v.fieldname = 'blocked_url'; if ((v.fieldname eq 'user_id') or (v.fieldname eq 'clientip')) then v.fieldname = 'user'; set_collected_field('', v.fieldname, $2); ); # Handle HTTP lines else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]* <([0-9]*)> (.*)$')) then ( v.key = $3; set_collected_field(v.key, 'date', $1); set_collected_field(v.key, 'time', $2); v.message = $4; if (matches_regular_expression(v.message, '^URL Filter violation for URL \\\\[([^]]*)')) then set_collected_field(v.key, 'blocked_url', $1); else if (matches_regular_expression(v.message, '^Sub category is \\\\[([^]]*)\\\\], Trend category group \\\\[([^]]*)\\\\]')) then ( set_collected_field(v.key, 'sub_category', $1); set_collected_field(v.key, 'trend_category', $2); set_collected_field(v.key, 'url_filtering_events_http', 1); accept_collected_entry(v.key, true); ); ); # http ` # Database fields database.fields = { event_type = "" # access date_time = "" day_of_week = "" hour_of_day = "" path = { suppress_top = 1 suppress_bottom = 3 } # path file_type = "" worm = "" # screen_dimensions = "" # screen_depth = "" domain_description = "" location = "" user = "" method = "" server = "" serverip = "" domain = "" content_type = "" operation = "" # url_blocking blocked_url = "" rule = "" opp_id = "" scan_type = "" content_category = "" category = "" # virus from = "" to = "" file = "" action = "" virus = "" # http trend_category = "" sub_category = "" } # database.fields # Log Filters log.filters = { not_authenticated = { label = "$lang_admin.log_filters.not_authenticated_label" comment = "$lang_admin.log_filters.not_authenticated_comment" value = "if (user eq '-') then user = '(not authenticated)';" } # not_authenticated set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else path = '(worm)';" } # set_page_for_worm remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(path, '?')) then path = substr(path, 0, index(path, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((http_accesses != 1) or (file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(path, '^([^:]+://[^/]+/)')) then path = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then path = substr(path, 0, last_index(path, '/') + 1) . '(nonpage)';" } # strip_non_page_views } # log.filters log.field_options = { sessions_page_field = "path" sessions_visitor_id_field = "user" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { http_accesses = { entries_field = true } # http_accesses page_views = { default = true } # page_views visitors = { log_field = "user" type = "unique" } # visitors content_length = { type = "int" integer_bits = 64 display_format_type = "bandwidth" } # content_length viruses = "" url_filtering_events_http = "" url_filtering_events_url_blocking = "" } # database.numerical_fields create_profile_wizard_options = { # This shows which numerical fields are related to which non-numerical fields. database_field_associations = { # access path = { http_accesses = true page_views = true visitors = true content_length = true } file_type = { http_accesses = true page_views = true visitors = true content_length = true } worm = { http_accesses = true page_views = true visitors = true content_length = true } # screen_dimensions = { # http_accesses = true # page_views = true # visitors = true # content_length = true # } # screen_depth = { # http_accesses = true # page_views = true # visitors = true # content_length = true # } domain_description = { http_accesses = true page_views = true visitors = true content_length = true } location = { http_accesses = true page_views = true visitors = true content_length = true } user = { http_accesses = true page_views = true visitors = true content_length = true url_filtering_events_url_blocking = true viruses = true } method = { http_accesses = true page_views = true visitors = true content_length = true } server = { http_accesses = true page_views = true visitors = true content_length = true } serverip = { http_accesses = true page_views = true visitors = true content_length = true } domain = { http_accesses = true page_views = true visitors = true content_length = true } content_type = { http_accesses = true page_views = true visitors = true content_length = true } operation = { http_accesses = true page_views = true visitors = true content_length = true } # url_blocking blocked_url.url_filtering_events_url_blocking = true rule.url_filtering_events_url_blocking = true opp_id.url_filtering_events_url_blocking = true scan_type.url_filtering_events_url_blocking = true content_category.url_filtering_events_url_blocking = true category.url_filtering_events_url_blocking = true # virus from.viruses = true to.viruses = true file.viruses = true action.viruses = true virus.viruses = true # http trend_category.url_filtering_events_http = true sub_category.url_filtering_events_http = true } # database_field_associations # How the reports should be grouped in the report menu manual_reports_menu = true report_groups = { overview.type = "overview" date_time_group = { items = { date_time = { label = "$lang_stats.miscellaneous.years_months_days" graph_field = "malicious_events" only_bottom_level_items = false } days = { label = "$lang_stats.miscellaneous.days" database_field_name = "date_time" graph_field = "malicious_events" } day_of_week = { graph_field = "malicious_events" } hour_of_day = { graph_field = "malicious_events" } } } # date_time_group executive_group = { items = { executive_user = { database_field_name = "user" } executive_domain = { database_field_name = "domain" } executive_blocked_url = { database_field_name = "blocked_url" only_bottom_level_items = false } executive_path = { database_field_name = "path" } executive_file_type = { database_field_name = "file_type" } executive_trend_category = { database_field_name = "trend_category" } } # items } # executive content_group = { items = { path = true file_type = true content_type = true } } visitor_demographics_group = { items = { user_access = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.user.label)))=}" columns.0.field_name = "user" columns.1.field_name = "http_accesses" columns.2.field_name = "page_views" columns.3.field_name = "visitors" columns.4.field_name = "content_length" } domain_description_access = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.domain_description.label)))=}" columns.0.field_name = "domain_description" columns.1.field_name = "http_accesses" columns.2.field_name = "page_views" columns.3.field_name = "visitors" columns.4.field_name = "content_length" } location_access = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.location.label)))=}" columns.0.field_name = "location" columns.1.field_name = "http_accesses" columns.2.field_name = "page_views" columns.3.field_name = "visitors" columns.4.field_name = "content_length" } # screen_dimensions = true # screen_depth = true } } server_group = { items = { domain = true server = true serverip = true method = true } } other_group = { items = { event_type = true worm = true operation = true } } url_filtering_group = { items = { user_url_filtering = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.user.label)))=}" columns.0.field_name = "user" columns.1.field_name = "url_filtering_events_url_blocking" } domain_description_url_filtering = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.domain_description.label)))=}" columns.0.field_name = "domain_description" columns.1.field_name = "url_filtering_events_http" } location_url_filtering = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.location.label)))=}" columns.0.field_name = "location" columns.1.field_name = "url_filtering_events_http" } blocked_url = { only_bottom_level_items = false } rule = true opp_id = true scan_type = true content_category = true category = true trend_category = true sub_category = true } } viruses_group = { items = { user_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.user.label)))=}" columns.0.field_name = "user" columns.1.field_name = "viruses" } domain_description_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.domain_description.label)))=}" columns.0.field_name = "domain_description" columns.1.field_name = "viruses" } location_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.location.label)))=}" columns.0.field_name = "location" columns.1.field_name = "viruses" } from = true to = true file = true action = true virus = true } } log_detail = true single_page_summary = true } # report_groups } # create_profile_wizard_options } # interscan_web_security_suite