Barracuda Networks Web Application Firewall



Similar documents
RSA Authentication Manager

Accellion Secure File Transfer

F5 Local Traffic Manager

A10 Networks Load Balancer

Microsoft Internet Information Services (IIS)

How to Configure Syslog and other Logs

Barracuda Syslog Barracuda Web Application Firewall

BARRACUDA WEB APPLICATION FIREWALL

Barracuda Syslog Barracuda Web Site Firewall

F-SECURE MESSAGING SECURITY GATEWAY

Management, Logging and Troubleshooting

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5

SonicWALL Global Management System Reporting Guide Standard Edition

PIX/ASA 7.x with Syslog Configuration Example

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Common Event Format Configuration Guide

Using TestLogServer for Web Security Troubleshooting

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

How To Set Up The Barclaycard Epdq Cardholder Payment Interface (Cpi) On Papercut (Barclay Card) On A Microsoft Card (For A Credit Card) With A Creditcard (For An Account)

Jive Connects for Microsoft SharePoint: Troubleshooting Tips

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Security Correlation Server Quick Installation Guide

Dynamic DNS How-To Guide

Monitoring System Status

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Wireless Installation Checklist for Novell GroupWise Environments

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Understanding Slow Start

Understanding Syslog Messages for the Barracuda Web Filter

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

HTTP Reverse Proxy Scenarios

SolarWinds Certified Professional. Exam Preparation Guide

Configuring PA Firewalls for a Layer 3 Deployment

PineApp Surf-SeCure Quick

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Presented by Henry Ng

User-ID Best Practices

Volume SYSLOG JUNCTION. User s Guide. User s Guide

USG40HE Content Filter Customization

FortiWeb 5.0, Web Application Firewall Course #251

Networks and the Internet A Primer for Prosecutors and Investigators

OnCommand Performance Manager 1.1

Integrating Juniper Netscreen (ScreenOS)

XIA Configuration Server

SOA Software API Gateway Appliance 7.1.x Administration Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

Installing and Configuring Active Directory Agent

Using the NetVanta 7100 Series

vcloud Director User's Guide

VoIPon Tel: +44 (0) Fax: +44 (0)

How to Configure Active Directory based User Authentication

Network Load Balancing

Websense Web Security Gateway: What to do when a Web site does not load as expected

Integrating LANGuardian with Active Directory

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

VMware Identity Manager Connector Installation and Configuration

Secure Web Appliance. SSL Intercept

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Administering Cisco ISE

Installation procedure for Chromis REC for 3CX

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

Apache Server Implementation Guide

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Introduction to the EIS Guide

Training Course on Network Administration

Net 2. NetApp Electronic Library. User Guide for Net 2 Client Version 6.0a

LifeSize Transit Deployment Guide June 2011

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

SuperLumin Nemesis. Administration Guide. February 2011

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

UTM Quick Installation Guide

Siteminder Integration Guide

Chapter 3 Restricting Access From Your Network

User Management Guide

APPLICATION NOTES High-Availability Load Balancing with the Brocade ServerIron ADX and McAfee Firewall Enterprise (Sidewinder)

McAfee Cloud Identity Manager

Configuring an ArcSight Smart- Connector to collect events from Kaspersky Admin Kit 8.0

SonicWALL Global Management System Reporting Guide Standard Edition

OnCommand Performance Manager 1.1

Snare for Firefox Snare Agent for the Firefox Browser

Configuring Security for FTP Traffic

Multi-Homing Dual WAN Firewall Router

Introduction to Endpoint Security

SonicWALL Global Management System Reporting User Guide. Version 2.5

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Configuring User Identification via Active Directory

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

Security Correlation Server Quick Installation Guide

Transcription:

McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Barracuda Networks Web Application Firewall January 30, 2015 Barracuda Networks Web Application Firewall Page 1 of 10

Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. Barracuda Networks Web Application Firewall Page 2 of 10

Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5 3.1 Barracuda Networks Web Application Firewall Configuration 5 3.2 McAfee Event Receiver Configuration 6 4 Data Source Event to McAfee Field Mappings 7 4.1 Log Formats 7 4.1 Log Samples 8 4.2 Mappings 9 5 Appendix A - Generic Syslog Configuration Details 10 6 Appendix B - Troubleshooting 10 Barracuda Networks Web Application Firewall Page 3 of 10

1 Introduction This guide details how to configure Barracuda Networks Web Application Firewall to send syslog data in the proper format to the ESM. 2 Prerequisites McAfee Enterprise Security Manager Version 9.1.0 and above. In order to configure the Barracuda Networks Web Application Firewall Syslog service, appropriate administrative level access is required to perform the necessary changes documented below. Barracuda Networks Web Application Firewall Page 4 of 10

3 Specific Data Source Configuration Details 3.1 Barracuda Networks Web Application Firewall Configuration 1. In a web browser, login to your Web Application Firewall device. 2. Go to the ADVANCED > Export Logs page. 3. In the Syslog section, click Add Syslog Server. 4. In the Add Syslog Server window add the following values: - Name: A name for reference in the WAF. - IP Address: The IP address of your McAfee Event Receiver. - Port: The port number used for syslog on your McAfee Event Receiver (514 by default). - Connection Type: Most commonly UDP. This is used by default in the McAfee Event Receiver. - Validate Server Certificate: Select No. - Client Certificate: Not needed when Validate Server Certificate is set to No. 5. Click Add. Note: The McAfee Event Receiver supports the default syslog logging format. Logs are not guaranteed to parse correctly if changes have been made to the logging format or if a custom or alternate logging format is used. Barracuda Networks Web Application Firewall Page 5 of 10

3.2 McAfee Event Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Event Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings 1. Data Source Vendor Barracuda Networks 2. Data Source Model Web Application Firewall (ASP) 3. Data Format Default 4. Data Retrieval Default 5. Enabled: Parsing/Logging/SNMP Trap Parsing 6. Name Name of data source 7. IP Address/Hostname The IP address and host name associated with the data source device. 8. Syslog Relay None 9. Mask 32 10. Require Syslog TLS Enable to require the Receiver to communicate over TLS. 11. Support Generic Syslogs Do nothing 12. Time Zone Time zone of data being sent. Note Refer to Appendix A for details on the Data Source Screen options Barracuda Networks Web Application Firewall Page 6 of 10

4 Data Source Event to McAfee Field Mappings 4.1 Log Formats System Logs: Timestamp Module Name Log Level Event ID Message Web Firewall Logs: Timestamp Unit Name Log Type Severity Level Attack Description Client IP Client Port Application IP Application Port Rule ID Rule Type Action Taken Follow-up Action Attack Details Method URL Protocol Session ID User Agent Proxy IP Proxy Port Authenticated User Referrer Attack ID Attack Group Access Logs: Timestamp Unit Name Log Type Application IP Application Port Client IP Client Port Login ID Certificate User Method Protocol Host Version HTTP Status Bytes Sent Bytes Received Cache Hit Time Taken Server IP Server Port Server Time Session ID Response Type Field Profile Matched Field Protected Field WF Matched Field URL Query Referrer Cookie User Agent Proxy IP Proxy Port Authenticated User Custom Header 1 Custom Header 2 Custom Header 3 Audit Logs: Timestamp Unit Name Log Type Admin Name Client Type Login IP Login Port Transaction Type Transaction ID Command Name Change Type Object Type Object Name Variable Old Value New Value Additional Data Network Firewall Logs: Unit Name Timestamp Log Type Severity Level Protocol Source IP Source Port Destination IP Destination Port Action ACL Name Interface ACL Details Barracuda Networks Web Application Firewall Page 7 of 10

4.1 Log Samples System Log: Feb 3 15:09:02 wsf STM: LB 5 00141 LookupServerCtx = 0xab0bb600 Web Firewall Log: 2010-02-03 01:49:09.077-0800 wafbox1 WF ALER SQL_INJECTION_IN_PARAM 4.3.2.1 39661 1.2.3.4 80 webapp1:deny_ban_dir GLOBAL LOG NONE [type="sql-injectionmedium" pattern="sql-quote" token="' or " Parameter="address" value="hi' or 1=1--"] POST 1.2.3.4/cgi-bin/process.cgi HTTP REQ-0+RES-0 "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-us; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" 4.3.2.1 39661 User1 http://1.2.3.4/cgi-bin/1.pl 11956 ATTACK_CATEGORY_INJECTION Access Log: 2010-02-02 21:16:59.914-0800 wafbox1 TR 1.2.3.4 80 4.3.2.1 37754 "-" "-" POST HTTP 1.2.3.4 HTTP/1.1 200 812 6401 0 230 4.3.2.1 80 0 SERVER DEFAULT PASSIVE VALID /cgi-bin/process.cgi "-" http://1.2.3.4/cgi-bin/1.pl ysgrid_firewall_loggrid=o%3acolumns%3da%253ao%25253aid%25253ds%2525253aiso_timestamp%25255ewidth% 25253Dn%2525253A38%255Eo%252 "Mozilla/5.0 (X11; U; Linux i686 (x86_64);en-us; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" 4.3.2.1 37754 User2 enus,or;q=0.5 gzip,deflate ISO-8859-15,utf-8;q=0.7,*;q=0.7 Audit Logs: 2010-02-02 21:08:53.861-0800 wafbox1 AUDIT User3 GUI 4.3.2.1 0 CONFIG 17 - SET web_firewall_policy default url_protection_max_upload_files "5" "6" "[]" Network Firewall Log: wafbox1 2013-05-21 03:28:23.494-0700 NF INFO TCP 5.6.7.8 52236 8.7.6.5 8000 DENY testacl MGMT/LAN/WAN interface traffic:deny policy TCP Barracuda Networks Web Application Firewall Page 8 of 10

4.2 Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields Timestamp Attack Description Client IP Client Port Application IP Application Port Rule ID Rule Type Attack Details Method URL Protocol User Agent Referrer User Bytes Sent Bytes Received Cmd HTTP status Version Device Type ACL Name Interface First Time, Last Time Message Source IP Source Port Destination IP Destination Port Signature_Name Object Message_Text Application URL Protocol User_Agent Referrer Source Username Bytes_Sent Bytes_Received Command Query_Response Application_Protocol Object Policy_Name Interface Barracuda Networks Web Application Firewall Page 9 of 10

5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the Add Data Source menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail. 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism. 2. Data Source Vendor List of all supported vendors. 3. Data Source Model List of supported products for a vendor. 4. Data Format Data Format is the format the data is in. Options are Default, CEF, and MEF. Note If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details. 5. Data Retrieval Data Retrieval allows you to select how the Receiver is going to collect the data. Default is over syslog. 6. Enabled: Parsing/Logging/SNMP Trap Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select Parsing. 7. Name This is the name that will appear in the Logical Device Groupings tree and the filter lists. 8. IP Address/Hostname The IP address and host name associated with the data source device. 9. Syslog Relay Syslog Relay allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG. 10. Mask Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted. 11. Require Syslog TLS Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog Generic Syslog allows users to select Parse generic syslog or Log unknown syslog event. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule. 13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly. 14. Interface Opens the receiver interface settings to associate ports with streams of information. 15. Advanced Opens advanced settings for the data source. 6 Appendix B - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If you see errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values are incorrect, you may need to adjust the Time Zone setting. Barracuda Networks Web Application Firewall Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information