# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. net_continuum = { plugin_version = "1.0" # 2007-06-02 - 1.0beta - KBB - initial creation # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy info.1.manufacturer = "NetContinuum" info.1.device = "Application Security Gateway" info.1.version = "" # The name of the log format log.format.format_label = "NetContinuum Application Security Gateway Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #2007-06-01 11:44:46 Local0.Info 10.10.10.10 TR systex-1 2007-Jun-01 03:44:57.834: 172.16.10.101:1142 172.16.10.102:80 POST /cgi-bin/some_app.cgi HTTP/1.0 200 0 4207 914 3284 172.16.10.102 "-" "-" "-" log.format.autodetect_regular_expression = '(WF|TR|SYS) [^ ]* ....-...-.. ..:..:..\\....: ' # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" level = "" attack_id = "" client_ip = "" client_port = "" application_ip = "" application_port = "" rule = "" action = "" attack_description = "" attack_detail = "" method = "" url.type = "page" } # log.fields # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" level = "" attack_id = "" client_ip = "" client_port = "" application_ip = "" application_port = "" rule = "" action = "" attack_description = "" attack_detail = "" method = "" url = "" } # database.fields log.parsing_filters.parse = ` #2007-06-01 11:23:37 Local0.Alert 10.10.10.10 WF systex-1 2007-Jun-01 03:23:49.385: WF-ALER-URL_PARAM_SQL_INJECTION SQL-Injection 172.16.10.101:3865 172.16.10.102:80 /test/web-application/web-firewall/web-acls/parameter-acls/default-parameter-acl DENY [SQL injection pattern matched in Query Parameter] [type: sql-injection-medium, pattern: sql-quote, token: ' , parameter: action , value: '] POST 172.16.10.102/cgi-bin/some_app.cgi?action='&searchquery=111-222-1933email@address.com if (matches_regular_expression(v.syslog_message, '[A-Z]+ [^ ]+ ([0-9]{4}-[A-Za-z]{3}-[0-9]{2}) ([0-9]{2}:[0-9]{2}:[0-9]{2})\\\.[0-9]+: ([A-Z-]+-)([A-Z_]+) ([^ ]+) ([0-9.]+):([0-9]+) ([0-9.]+):([0-9]+) ([^ ]+) ([^ ]+) \\\\[([^]]+)\\\\] \\\\[([^]]+)\\\\] ([A-Z]+) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.level = $3; set_collected_field('', 'attack_id', $4); #set_collected_field('', 'short_id', $5); set_collected_field('', 'client_ip', $6); set_collected_field('', 'client_port', $7); set_collected_field('', 'application_ip', $8); set_collected_field('', 'application_port', $9); set_collected_field('', 'rule', $10); set_collected_field('', 'action', $11); set_collected_field('', 'attack_description', $12); set_collected_field('', 'attack_detail', $13); set_collected_field('', 'method', $14); set_collected_field('', 'url', $15); if (matches_regular_expression(v.level, 'WF-(ALER|WARN|NOTI)-')) then ( set_collected_field('', 'level', node_value(subnode_by_name('lang_stats.log_formats.net_continuum.level', $1))); ); else ( set_collected_field('', 'level', v.level); ); accept_collected_entry('', false); ); ` # Log Filters log.filters = { #detect_page_views = { # label = '$lang_admin.log_filters.detect_page_views_label' # comment = '$lang_admin.log_filters.detect_page_views_comment' # value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" #} # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query #strip_non_page_views = { # label = '$lang_admin.log_filters.strip_non_page_views_label' # comment = '$lang_admin.log_filters.strip_non_page_views_comment' # value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" #} # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = false requires_log_field = false entries_field = true } # events #page_views = { # default = true # requires_log_field = false #} # page_views } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # net_continuum