# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. f5_waf = { plugin_version = "1.1" info.1.manufacturer = "F5 Networks" info.1.device = "Application Security Manager" info.1.version.1 = "10.1.0" # 2012-08-10 - 1.0 - Benson - Initial implementation. # 2012-11-01 - 1.1 - Benson - Add support for parsing request field. # The name of the log format log.format.format_label = "F5 Networks Application Security Manager Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first 200 lines match this regular expression #Aug 2 06:41:28 bigip err dcc[7635]: 01310039:3: [SECEV] Request violations: Attack signature detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 8306336853480578956, source ip: 192.168.24.77, xff ip: N/A, source port: 1199, destination ip: 111.22.33.44, destination port: 80, route_domain: 1, HTTP classifier: /Common/VS_111.22.33.44, scheme HTTP, geographic location: , request: , username: , session_id: #Aug 2 06:19:10 bigip info dcc[7635]: 01310055:6: [SECEV] Request violations: Illegal HTTP status in response. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 8306336853480578592, source ip: 42.74.100.79, xff_ip: N/A, source port: 49623, destination ip: 111.22.33.45, destination port: 80, route_domain: 1, HTTP classifier: /Common/VS_111.22.33.45, scheme HTTP, geographic location: , request: , username: , session_id: <83969be5a074fcd7> log.format.autodetect_regular_expression = " \\[SECEV\\] Request violations:" log.format.autodetect_lines = 200 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { request_violations = "" http_protocol_compliance_sub_violations = "" evasion_techniques_sub_violations = "" web_services_security_sub_violations = "" virus_name = "" #support_id = "" source_ip.type = "host" xff_ip = "" source_port = "" destination_ip = "" destination_port = "" route_domain = "" http_classifier = "" scheme = "" geographic_location = "" operation = "" url = "" protocol = "" http_version = "" request = "" username = "" session_id = "" events = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '\\[SECEV\\] Request violations: ([^.]*). HTTP protocol compliance sub violations: ([^.]*). Evasion techniques sub violations: ([^.]*). Web services security sub violations: ([^.]*). Virus name: ([^.]*). Support id: ([0-9]+), source ip: ([0-9.]+), xff[_| ]ip: ([^,]*), source port: ([0-9]*), destination ip: ([0-9.]+), destination port: ([0-9]+), route_domain: ([^,]*), HTTP classifier: ([^,]*), scheme ([^,]+), geographic location: <([^>]*)>, request: <([^>]*)>, username: <([^>]*)>, session_id: <([^>]*)>$')) then ( set_collected_field('', 'request_violations', $1); set_collected_field('', 'http_protocol_compliance_sub_violations', $2); set_collected_field('', 'evasion_techniques_sub_violations', $3); set_collected_field('', 'web_services_security_sub_violations', $4); set_collected_field('', 'virus_name', $5); #set_collected_field('', 'support_id', $6); set_collected_field('', 'source_ip', $7); set_collected_field('', 'xff_ip', $8); set_collected_field('', 'source_port', $9); set_collected_field('', 'destination_ip', $10); set_collected_field('', 'destination_port', $11); set_collected_field('', 'route_domain', $12); set_collected_field('', 'http_classifier', $13); set_collected_field('', 'scheme', $14); set_collected_field('', 'geographic_location', $15); #set_collected_field('', 'request', $16); v.request = $16; v.request = replace_all(v.request, '\\\\r\\\\n', ' '); if (matches_regular_expression(v.request, '^([A-Z]+) ([^ ]+) ([A-Z]+)/([0-9.]+) (.*)$')) then ( set_collected_field('', 'operation', $1); set_collected_field('', 'url', $2); set_collected_field('', 'protocol', $3); set_collected_field('', 'http_version', $4); set_collected_field('', 'request', $5); ); set_collected_field('', 'username', $17); set_collected_field('', 'session_id', $18); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { request_violations = "" http_protocol_compliance_sub_violations = "" evasion_techniques_sub_violations = "" web_services_security_sub_violations = "" virus_name = "" #support_id = "" source_ip = "" location = "" xff_ip = "" source_port = "" destination_ip = "" destination_port = "" route_domain = "" http_classifier = "" scheme = "" geographic_location = "" operation = "" url = "" protocol = "" http_version = "" request = "" username = "" session_id = "" } # database.fields database.numerical_fields = { events = { default = true } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" web_security_group = { request_violations = true http_protocol_compliance_sub_violations = true evasion_techniques_sub_violations = true web_services_security_sub_violations = true virus_name = true } # web_security_group source_group = { source_ip = true source_port = true location = true xff_ip = true username = true } # source_group destination_group = { destination_ip = true destination_port = true route_domain = true } # destination_group other_group = { http_classifier = true scheme = true geographic_location = true request = true session_id = true } # other_group } # report_groups } # create_profile_wizard_options } # f5_waf