AppWall SIEM Integration Guide

Transcription

1 AppWall SIEM Integration Guide July 2012

2 TABLE OF CONTENTS 1 INTRODUCTION CONFIGURING APPWALL TO PUBLISH EVENTS SYSLOG EVENTS FORMAT OVERVIEW SECURITY EVENTS FORMAT INITIALIZATION EVENTS FORMAT SNMP EVENTS FORMAT OVERVIEW EVENTS FORMAT SIEM Integration Guide, AppWall Page 2

3 1 Introduction This document is designed to assist AppWall customers to integrate with SIEM (Security Information Event Management) solutions. The document describes AppWall event logs (messages and traps) format and the communication channels that can be interconnected to the SIEM collector to gather the events reported by AppWall. In AppWall there are several event types, each stored in a separated log: Security: an event log is generated for any security policy violation. In passive mode these events will indicate a violation which was allowed while in active mode the log will indicate that an attack was blocked. Initialization: for any AppWall sub-system which is being initialized during boot process there will be an event log indicating a successful initialization or a failure during the process. Administration: any administrative user operation will be logged with relevant user information. System: any abnormal system incident will be logged (e.g. AppWall cannot connect to the web server). Escalation: any scenario of security policy escalation or de-escalation will be logged. The device generates an event that includes the relevant information and stores it in the local event storage. Using the Publisher utility, AppWall can be configured to publish events to remote recipients: Syslog SNMP SMTP ( messages) can be sent to specified users. ODBC messages can be sent to configured external database OPSEC ELA messages can be sent to Checkpoint FW Additionally, AppWall can be configured to publish the events to APSolute Vision Reporter device where events can be correlated. SIEM Integration Guide, AppWall Page 3

4 2 Configuring AppWall to Publish Events AppWall Publisher utility is a daemon running on each AppWall device enabling publishing events to remote recipients. In order to publish events, the Publisher daemon must first be enabled. Next, you need to configure a Publishing Rule for the relevant Log Type. Escalation and the Security log rules will be configured under the Security Policies View in AppWall, while the other types are configured under the Configuration View. In the next images you can see where you add new publishing rules for the security events: Once clicked the add button, you will be presented with the next dialog box to configure your new rule. When configuring a Publishing rule, you can define range of Severity levels, which types of events to be published and to which remote recipient. In the next images you can see how you configure a security Publishing rule. SIEM Integration Guide, AppWall Page 4

5 SIEM Integration Guide, AppWall Page 5

6 3 Syslog Events Format 3.1 Overview Any Syslog message sent from AppWall will start with the next prefix: <41> (3) This prefix is a PRIVAL value for security message + alert severity, based on syslog RFC. 3.2 Security Events Format Name Description Size Limit Sample Value Date Date in month-day-year format Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Administration/System 20 Security Priority Optional values: Critical/High/Medium/Low/Lowest 20 High Resource The reporting resource (e.g. security filters, tunnels) 32 Filter Object The reporting object (e.g. Database security filter) 32 Database Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP IP address of user who sent the request Source Port TCP port number of user connection who sent the request Title Event short description 64 SQL Injection URI user HTTP/S request URI Bank_V2_Website/aspx/testing/loginf SIEM Integration Guide, AppWall Page 6

7 older/login.aspx Role Web user role. If no web roles are defined and mapped to 32 Customers LDAP server, Public role will be used Web user The name of the user who logged in to the web application. A 32 jonathan name will be presented when either Authentication server was defined (LDAP, RADIUS) or when Successful login detection was configured. Trans ID HTTP/S unique transaction id Rule ID Database Security Filter Rule ID 20 S1SELA Param Name HTTP parameter name which triggered the security violation 32 page_id Param Value HTTP parameter value which triggered the security violation 64 SELECT * FROM tlb_users Param Type Type of parameter: Query / Path / Body URL Encoded 32 Body URL Encoded Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. 3.3 Administration Events Format Name Description Size Limit Sample Value Date Date in month-day-year format Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Management/System 20 Management Priority Optional values: Critical/High/Medium/Low/Lowest 20 High Resource The reporting resource (e.g. Sub-system) 32 Sub Systems SIEM Integration Guide, AppWall Page 7

8 Object The reporting object (e.g. Administration, Resource Manager) 32 Administration Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP Optional field: IP address of user who sent the request Title Event short description 64 SQL Injection Trans ID Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. Username The name of the administrative AppWall user who performed the operation logged. 32 jonathan 3.4 System Events Format Name Description Size Limit Sample Value Date Date in month-day-year format Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Management/System 20 System Priority Optional values: Critical/High/Medium/Low/Lowest 20 Low Resource The reporting resource (e.g. Sub-system) 32 Sub Systems Object The reporting object (e.g. Cluster, Communication) 32 Communication SIEM Integration Guide, AppWall Page 8

9 Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP Optional field: IP address of user who sent the request Title Event short description 64 SQL Injection Trans ID Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. SIEM Integration Guide, AppWall Page 9

10 4 SNMP Events Format 4.1 Overview SNMP v1, v2c and v3 are supported for the purpose of sending SNMP traps. 4.2 Events Format Any Syslog message sent from AppWall will start with the next prefix: <41> (3) This prefix is a PRIVAL value for security message + alert severity, based on syslog RFC. Name Description Sample Value server Name AppWall server name David-Gateway eventid Event id, representing the specific event type 2458 reportingresource The reporting resource (e.g. security filters, tunnels) Filter reportingobject The reporting object (e.g. Database security filter) Database reporteresource The reported resource (e.g. Web Application) Web App reportedobject The reported object (e.g. Web Application name) Hackme-app eventdate Date in month-day-year format eventtime Time in hour:minutes:seconds format 13:59:32 eventdescription Detailed description of the violation Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. eventtype Optional values: Security/Administration/System Security clientip IP address of user who sent the request user The name of the user who logged in to the web application. A name jonathan will be presented when either Authentication server was defined (LDAP, RADIUS) or when Successful login detection was configured. tunnel AppWall tunnel name (in the configuration view) Hackme-tunnel SIEM Integration Guide, AppWall Page 10

11 host The host name, if was added/configured in the tunnel. In no host Any Host was configured the value will be: Any Host vd The Application Path in the relevant security policy /aspx/ severity Optional values: Critical/High/Medium/Low/Lowest High mode Mode of operation: Passive or Active Passive eventtitle Event short description SQL Injection Param Name HTTP parameter name which triggered the security violation page_id Param Value HTTP parameter value which triggered the security violation SELECT * FROM tlb_users Param Type Type of parameter: Query / Path / Body URL Encoded Body URL Encoded Parameters HTTP request parameters page_id URI user HTTP/S request URI Bank_V2_Website/aspx/testing/loginf older/login.aspx Trans ID HTTP/S unique transaction id North America International Radware Inc. Radware Ltd. 575 Corporate Drive 22 Raoul Wallenberg St. Mahwah, NJ Tel Aviv 69710, Israel Tel: Tel: Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A SIEM Integration Guide, AppWall Page 11