AppWall 5.5.1 SIEM Integration Guide July 2012
TABLE OF CONTENTS 1 INTRODUCTION... 3 2 CONFIGURING APPWALL TO PUBLISH EVENTS... 4 3 SYSLOG EVENTS FORMAT... 6 3.1 OVERVIEW... 6 3.2 SECURITY EVENTS FORMAT... 6 3.3 INITIALIZATION EVENTS FORMAT... 7 4 SNMP EVENTS FORMAT... 10 4.1 OVERVIEW... 10 4.2 EVENTS FORMAT... 10 SIEM Integration Guide, AppWall 5.5.1 Page 2
1 Introduction This document is designed to assist AppWall customers to integrate with SIEM (Security Information Event Management) solutions. The document describes AppWall event logs (messages and traps) format and the communication channels that can be interconnected to the SIEM collector to gather the events reported by AppWall. In AppWall there are several event types, each stored in a separated log: Security: an event log is generated for any security policy violation. In passive mode these events will indicate a violation which was allowed while in active mode the log will indicate that an attack was blocked. Initialization: for any AppWall sub-system which is being initialized during boot process there will be an event log indicating a successful initialization or a failure during the process. Administration: any administrative user operation will be logged with relevant user information. System: any abnormal system incident will be logged (e.g. AppWall cannot connect to the web server). Escalation: any scenario of security policy escalation or de-escalation will be logged. The device generates an event that includes the relevant information and stores it in the local event storage. Using the Publisher utility, AppWall can be configured to publish events to remote recipients: Syslog SNMP SMTP (e-mail messages) can be sent to specified users. ODBC messages can be sent to configured external database OPSEC ELA messages can be sent to Checkpoint FW Additionally, AppWall can be configured to publish the events to APSolute Vision Reporter device where events can be correlated. SIEM Integration Guide, AppWall 5.5.1 Page 3
2 Configuring AppWall to Publish Events AppWall Publisher utility is a daemon running on each AppWall device enabling publishing events to remote recipients. In order to publish events, the Publisher daemon must first be enabled. Next, you need to configure a Publishing Rule for the relevant Log Type. Escalation and the Security log rules will be configured under the Security Policies View in AppWall, while the other types are configured under the Configuration View. In the next images you can see where you add new publishing rules for the security events: Once clicked the add button, you will be presented with the next dialog box to configure your new rule. When configuring a Publishing rule, you can define range of Severity levels, which types of events to be published and to which remote recipient. In the next images you can see how you configure a security Publishing rule. SIEM Integration Guide, AppWall 5.5.1 Page 4
SIEM Integration Guide, AppWall 5.5.1 Page 5
3 Syslog Events Format 3.1 Overview Any Syslog message sent from AppWall will start with the next prefix: <41> (3) This prefix is a PRIVAL value for security message + alert severity, based on syslog RFC. 3.2 Security Events Format Name Description Size Limit Sample Value Date Date in month-day-year format 12 05-14-2012 Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address 25 10.200.1.1 Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Administration/System 20 Security Priority Optional values: Critical/High/Medium/Low/Lowest 20 High Resource The reporting resource (e.g. security filters, tunnels) 32 Filter Object The reporting object (e.g. Database security filter) 32 Database Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP IP address of user who sent the request 25 172.75.3.9 Source Port TCP port number of user connection who sent the request 10 32161 Title Event short description 64 SQL Injection URI user HTTP/S request URI 120 http://www.hacmebank.com/hacme Bank_V2_Website/aspx/testing/loginf SIEM Integration Guide, AppWall 5.5.1 Page 6
older/login.aspx Role Web user role. If no web roles are defined and mapped to 32 Customers LDAP server, Public role will be used Web user The name of the user who logged in to the web application. A 32 jonathan name will be presented when either Authentication server was defined (LDAP, RADIUS) or when Successful login detection was configured. Trans ID HTTP/S unique transaction id 32 704748937 Rule ID Database Security Filter Rule ID 20 S1SELA Param Name HTTP parameter name which triggered the security violation 32 page_id Param Value HTTP parameter value which triggered the security violation 64 SELECT * FROM tlb_users Param Type Type of parameter: Query / Path / Body URL Encoded 32 Body URL Encoded Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation 172-570 Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. 3.3 Administration Events Format Name Description Size Limit Sample Value Date Date in month-day-year format 12 05-14-2012 Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address 25 10.200.1.1 Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Management/System 20 Management Priority Optional values: Critical/High/Medium/Low/Lowest 20 High Resource The reporting resource (e.g. Sub-system) 32 Sub Systems SIEM Integration Guide, AppWall 5.5.1 Page 7
Object The reporting object (e.g. Administration, Resource Manager) 32 Administration Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP Optional field: IP address of user who sent the request 25 172.75.3.9 Title Event short description 64 SQL Injection Trans ID Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation 172-570 Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. Username The name of the administrative AppWall user who performed the operation logged. 32 jonathan 3.4 System Events Format Name Description Size Limit Sample Value Date Date in month-day-year format 12 05-14-2012 Time Time in hour:minutes:seconds format 10 13:59:32 syslog type Type of syslog message. Value is always Syslog.Alert 16 Syslog.Alert mang-ip AppWall device Management IP address 25 10.200.1.1 Server Name AppWall server name 40 David-Gateway Type Optional values: Security/Management/System 20 System Priority Optional values: Critical/High/Medium/Low/Lowest 20 Low Resource The reporting resource (e.g. Sub-system) 32 Sub Systems Object The reporting object (e.g. Cluster, Communication) 32 Communication SIEM Integration Guide, AppWall 5.5.1 Page 8
Web App AppWall web application name (in the security policy) 32 Hackme-app Tunnel AppWall tunnel name (in the configuration view) 32 Hackme-tunnel Host The host name, if was added/configured in the tunnel. In no 32 Any Host host was configured the value will be: Any Host App Path The Application Path in the relevant security policy 64 /aspx/ Source IP Optional field: IP address of user who sent the request 25 172.75.3.9 Title Event short description 64 SQL Injection Trans ID Is Passive Whether there was any action applied on the violating 20 False request or response or was it passive mode detection only Description Detailed description of the violation 172-570 Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. SIEM Integration Guide, AppWall 5.5.1 Page 9
4 SNMP Events Format 4.1 Overview SNMP v1, v2c and v3 are supported for the purpose of sending SNMP traps. 4.2 Events Format Any Syslog message sent from AppWall will start with the next prefix: <41> (3) This prefix is a PRIVAL value for security message + alert severity, based on syslog RFC. Name Description Sample Value server Name AppWall server name David-Gateway eventid Event id, representing the specific event type 2458 reportingresource The reporting resource (e.g. security filters, tunnels) Filter reportingobject The reporting object (e.g. Database security filter) Database reporteresource The reported resource (e.g. Web Application) Web App reportedobject The reported object (e.g. Web Application name) Hackme-app eventdate Date in month-day-year format 05-14-2012 eventtime Time in hour:minutes:seconds format 13:59:32 eventdescription Detailed description of the violation Database Security Filter intercepted a malicious request with a submitted parameter value, which includes a harmful expression. eventtype Optional values: Security/Administration/System Security clientip IP address of user who sent the request 172.75.3.9 user The name of the user who logged in to the web application. A name jonathan will be presented when either Authentication server was defined (LDAP, RADIUS) or when Successful login detection was configured. tunnel AppWall tunnel name (in the configuration view) Hackme-tunnel SIEM Integration Guide, AppWall 5.5.1 Page 10
host The host name, if was added/configured in the tunnel. In no host Any Host was configured the value will be: Any Host vd The Application Path in the relevant security policy /aspx/ severity Optional values: Critical/High/Medium/Low/Lowest High mode Mode of operation: Passive or Active Passive eventtitle Event short description SQL Injection Param Name HTTP parameter name which triggered the security violation page_id Param Value HTTP parameter value which triggered the security violation SELECT * FROM tlb_users Param Type Type of parameter: Query / Path / Body URL Encoded Body URL Encoded Parameters HTTP request parameters page_id URI user HTTP/S request URI http://www.hacmebank.com/hacme Bank_V2_Website/aspx/testing/loginf older/login.aspx Trans ID HTTP/S unique transaction id 704748937 North America International Radware Inc. Radware Ltd. 575 Corporate Drive 22 Raoul Wallenberg St. Mahwah, NJ 07430 Tel Aviv 69710, Israel Tel: +1-888-234-5763 Tel: 972 3 766 8666 2012 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A SIEM Integration Guide, AppWall 5.5.1 Page 11