# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. barracuda_waf = { plugin_version = "1.0.1" info.1.manufacturer = "Barracuda" info.1.device = "Web Application Firewall" info.1.version = "7.4.0.022" # 2010-07-30 - 1.0.0 - Benson - Initial implementation. # 2010-08-19 - 1.0.1 - Benson - Supports obj_name field. # 2010-10-10 - 1.0.2 - MSG - Edited info lines # The name of the log format log.format.format_label = "Barracuda WAF Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression #2010-07-29 12:08:20 Local5.Alert 192.168.172.201 2010-07-29 12:08:26.674 +0800 Barracuda WF ALER CROSS_SITE_SCRIPTING_IN_PARAM 192.168.172.121 2129 192.168.172.202 80 security-policy GLOBAL DENY NONE [type="cross-site-scripting" pattern="script-tag" token=""] GET www.foobar.com.tw/123.asp?123=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)" 192.168.172.121 2129 "-" "-" log.format.autodetect_regular_expression = " [^ ]+ WF " log.format.autodetect_lines = 2000 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { # time_stamp = "" obj_name = "" log_type = "" # severity_level = "" attack_description = "" client_ip.type = "host" client_port = "" application_ip = "" application_port = "" rule_id = "" rule_type = "" action_taken = "" follow_up = "" attack_details = "" method = "" url = "" protocol = "" session_id = "" user_agent = "" proxy_ip = "" proxy_port = "" authenticated_user = "" referer = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` #2010-07-29 12:08:26.845 +0800 Barracuda WF ALER CROSS_SITE_SCRIPTING_IN_PARAM 192.168.172.121 2130 192.168.172.202 80 security-policy GLOBAL DENY NONE [type="cross-site-scripting" pattern="script-tag" token=""] GET www.foobar.com.tw/123.asp?123=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)" 192.168.172.121 2130 "-" "-" if (matches_regular_expression(v.syslog_message, '([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9.]+) ([0-9]+) ([0-9.]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) \\\\[([^]]+)\\\\] ([^ ]+) ([^ ]+) ([^ ]+) "([^"]+)" "([^"]+)" ([0-9.]+) ([0-9]+) "([^"]+)" "([^"]+)"')) then ( set_collected_field('', 'obj_name', $1); set_collected_field('', 'log_type', $2); # set_collected_field('', 'severity_level', $3); set_collected_field('', 'attack_description', $4); set_collected_field('', 'client_ip', $5); set_collected_field('', 'client_port', $6); set_collected_field('', 'application_ip', $7); set_collected_field('', 'application_port', $8); set_collected_field('', 'rule_id', $9); set_collected_field('', 'rule_type', $10); set_collected_field('', 'action_taken', $11); set_collected_field('', 'follow_up', $12); set_collected_field('', 'attack_details', $13); set_collected_field('', 'method', $14); set_collected_field('', 'url', $15); set_collected_field('', 'protocol', $16); set_collected_field('', 'session_id', $17); set_collected_field('', 'user_agent', $18); set_collected_field('', 'proxy_ip', $19); set_collected_field('', 'proxy_port', $20); set_collected_field('', 'authenticated_user', $21); set_collected_field('', 'referer', $22); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { # time_stamp = "" obj_name = "" log_type = "" # severity_level = "" attack_description = "" client_ip = "" client_port = "" location = "" application_ip = "" application_port = "" rule_id = "" rule_type = "" action_taken = "" follow_up = "" attack_details = "" method = "" url = "" protocol = "" session_id = "" user_agent = "" proxy_ip = "" proxy_port = "" authenticated_user = "" referer = "" } # database.fields database.numerical_fields = { events = { default = true } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options date_time_group = "" report_groups = { obj_name = "" log_type = "" # severity_level = "" attack_description = "" client_ip = "" client_port = "" location = "" application_ip = "" application_port = "" rule_id = "" rule_type = "" action_taken = "" follow_up = "" attack_details = "" method = "" url = "" protocol = "" session_id = "" user_agent = "" proxy_ip = "" proxy_port = "" authenticated_user = "" referer = "" } # report_groups } # barracuda_waf