# Copyright (c) 2011 Flowerfire, Inc.  All Rights Reserved.
site_guard = {

  plugin_version = "1.0"

  info.1.manufacturer = "JP-Secure"
  info.1.device = "SiteGuard"
  info.1.version.1 = ""

  # 2011-10-04 - GMF - 1.0 - Initial creation.

  # The name of the log format
  log.format.format_label = "SiteGuard Log Format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "WAF: [0-9]+[.][0-9]+ +[0-9]+ [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [A-Z_]+/[0-9]+ "

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"

  # Log fields
  log.fields = {

    connection_time = ""
    source_ip = {
      type = "host"
    }
    cache_status = ""
    server_response = ""
    file_size = ""
    operation = ""
    url = {
      type = "page"
      hierarchy_dividers = "/?"
      left_to_right = true
      leading_divider = "true"
    }
    username = ""
    hierarchy = ""
    server_ip = ""
    content_type = ""
    detect_status = ""
    detect_name = ""
    detect_part = ""
    name = ""
    signature_file = ""
    signature_id = ""
    signature_name = ""
    #
    #
    signature_string = ""
    action = ""
    service = ""
    internal_process_id = ""
    process_id = ""
    source_ip_address = ""
    processing = ""
    #
    #
    #
    keep_alive = ""
    x_forwarded_for = ""
    error_information = ""

    # Computed field
    signature_category = ""
    information = ""

  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters = {

    parse = `
if (matches_regular_expression(v.syslog_message, '^WAF: ([0-9]+)[.][0-9]+ +([0-9]+) ([0-9.]+) ([^/]+)/([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^/]+)/([^ ]+) ([^ ]+) DETECT-STAT:([^:]*):([^/]*)/([^/]*)/([^/]*)/([^/]*)/([^/]*)/([^:]*):([^:]*):([^:]*):([^:]*): ACTION:([^ ]+): PROXY-STAT:([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*): PROTOCOL-STAT:([^:]*):([^:]*): PROXY-ERROR:([^:]*):')) then(

  set_collected_field('', 'date', normalize_date($1, 'seconds_since_jan1_1970'));
  set_collected_field('', 'time', normalize_time($1, 'seconds_since_jan1_1970'));

  set_collected_field('', 'connection_time', $2);
  set_collected_field('', 'source_ip', $3);
  set_collected_field('', 'cache_status', $4);
  set_collected_field('', 'server_response', $5);
  set_collected_field('', 'file_size', $6);
  set_collected_field('', 'operation', $7);
  set_collected_field('', 'url', $8);
  set_collected_field('', 'username', $9);
  set_collected_field('', 'hierarchy', $10);
  set_collected_field('', 'server_ip', $11);
  set_collected_field('', 'content-type', $12);
  set_collected_field('', 'detect_status', $13);
  set_collected_field('', 'detect_name', $14);
  set_collected_field('', 'detect_part', $15);
  set_collected_field('', 'name', $16);
  set_collected_field('', 'signature_file', $17);
  set_collected_field('', 'signature_id', $18 . $19);
  set_collected_field('', 'signature_name', $19);
#  set_collected_field('', '', $20);
#  set_collected_field('', '', $21);
  set_collected_field('', 'signature_string', $22);
  set_collected_field('', 'action', $23);
  set_collected_field('', 'service', $24);
  set_collected_field('', 'internal_process_id', $25);
  set_collected_field('', 'process_id', $26);
  set_collected_field('', 'source_ip_address', $27);
  set_collected_field('', 'processing', $28);
#  set_collected_field('', '', $29);
#  set_collected_field('', '', $30);
#  set_collected_field('', '', $31);
  set_collected_field('', 'keep_alive', $32);
  set_collected_field('', 'x_forwarded_for', $33);
  set_collected_field('', 'error_information', $34);

  # Compute signature_category
  if (length($18) >= 3) then (
    v.signature_id = substr($18, 0, 3);
    if (v.signature_id eq '001') then
      set_collected_field('', 'signature_category', 'SQL Injection');
    else if (v.signature_id eq '002') then
      set_collected_field('', 'signature_category', 'Cross Site Scripting');
    else if (v.signature_id eq '003') then
      set_collected_field('', 'signature_category', 'OS Command Injection');
    else if (v.signature_id eq '004') then
      set_collected_field('', 'signature_category', 'Directory Traversal');
    else if (v.signature_id eq '005') then
      set_collected_field('', 'signature_category', 'Line feed Injection');
    else if (v.signature_id eq '006') then
      set_collected_field('', 'signature_category', 'XPath Injection');
    else if (v.signature_id eq '007') then
      set_collected_field('', 'signature_category', 'LDAP Injection');
    else if (v.signature_id eq '09') then
      set_collected_field('', 'signature_category', 'Other Attacks');
    else if (v.signature_id eq '9') then
      set_collected_field('', 'signature_category', 'Other Attacks');
    else
      set_collected_field('', 'signature_category', 'Unknown');
      
  ); # if signature_id length > 3

  # Compute information
  set_collected_field('', 'information', $24 . ':' . '' . ':' . $32 . ':' . $33 . ':' . $34 . ':');

  accept_collected_entry('', false);

);

`

  } # log.parsing_filters


  # Database fields
  database.fields = {

#    connection_time = ""

    source_ip = ""
#    location = ""

#    cache_status = ""
    server_response = ""

#    file_size = ""
    operation = ""
    url = ""
#    file_type = ""
    username = ""
    hierarchy = ""
    server_ip = ""
#    content_type = ""
    detect_status = ""
    detect_name = ""
    detect_part = ""
#    name = ""
    signature_file = ""
    signature_id = ""
    signature_name = ""
    signature_string = ""
    signature_category = ""
    action = ""
    service = ""
#    internal_process_id = ""
#    process_id = ""
#    source_ip_address = ""
#    processing = ""
    keep_alive = ""
    x_forwarded_for = ""
    error_information = ""

    information = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

#    file_size = {
#      default = false
#      type = "int"
#      integer_bits = 64
#      display_format_type = "bandwidth"
#    } # file_size

#    connection_time = {
#      default = false
#      type = "int"
#      integer_bits = 64
#      display_format_type = "duration_compact"
#    } # connection_time

  } # database.numerical_fields


  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""

      source_group = {
        source_ip = true
        username = true
        source_ip_address = true
      } # source_group

      server_group = {
        server_ip = true
        server_response = true
      } # server_group

      content_group = {
        action = true
        operation = true
        url = true
        content_type = true
        service = true
      } # content_group

      cache_group = {
        hierarchy = true
        cache_status = true
        detect_status = true
        detect_name = true
        detect_part = true
        name = true
        signature_category = true
        signature_file = true
        signature_name = true
        signature_string = true
      } # cache_group

      other_group = {
        information = true
        internal_process_id = true
        process_id = true
        processing = true
        keep_alive = true
        x_forwarded_for = true
        error_information = true
      } # other_group

    } # report_groups

  } # create_profile_wizard_options

} # site_guard