Integrate Barracuda Email Security Gateway · 2019-12-06 · 7 Integrate Barracuda Email Security Gateway Sample Report Figure 4 Log sample Figure 5 • Barracuda ESG - Email Traffic

Integrate Barracuda Email Security Gateway EventTracker v9.x and above

Publication Date: December 5, 2019

1

Integrate Barracuda Email Security Gateway

Abstract

This guide provides instructions to retrieve Barracuda email security gateway event logs and integrate it with

EventTracker. Once EventTracker is configured to collect and parse these logs, dashboard and reports can be

configured to monitor Barracuda email security gateway.

Audience

The configurations detailed in this guide are consistent with EventTracker version v9.x or above and Barracuda

Email Security Gateway VX600 or above.

The information contained in this document represents the current view of Netsurion on the issues

discussed as of the date of publication. Because Netsurion must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion

cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from Netsurion, if

its content is unaltered, nothing is added to the content and credit to Netsurion is provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Netsurion, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or should

be inferred.

© 2019 Netsurion. All rights reserved. The names of actual companies and products mentioned

herein may be the trademarks of their respective owners.

2


Table of Contents 1. Overview ........................................................................................................................................................ 3

2. Prerequisites .................................................................................................................................................. 3

3. Configuring Barracuda Email Security Gateway to EventTracker ................................................................. 3

3.1 Barracuda Action Codes: ........................................................................................................................ 4

3.2 Barracuda Reason Codes ........................................................................................................................ 4

4. EventTracker Knowledge Pack ...................................................................................................................... 5

4.1 Flex Reports ............................................................................................................................................ 5

4.2 Alerts ....................................................................................................................................................... 9

4.3 Saved Search ........................................................................................................................................... 9

4.4 Dashboards ............................................................................................................................................. 9

5. Importing Barracuda Email Security Gateway knowledge pack into EventTracker .................................... 12

5.1 Alerts ..................................................................................................................................................... 13

5.2 Token Template .................................................................................................................................... 15

5.3 Knowledge Object ................................................................................................................................. 16

5.4 Flex Reports .......................................................................................................................................... 18

5.5 Dashboard ............................................................................................................................................. 19

6. Verifying Barracuda Email Security Gateway knowledge pack in EventTracker ......................................... 21

6.1 Token Template .................................................................................................................................... 21

6.2 Knowledge Object ................................................................................................................................. 22

6.3 Flex Reports .......................................................................................................................................... 22

6.4 Dashboard ............................................................................................................................................. 23

3


1. Overview The Barracuda Email Security Gateway is an integrated hardware and software solution designed to protect your email

server from spam, virus, spoofing, phishing and spyware attacks. Outbound filtering and encryption options also prevent

Data Leakage Prevention (DLP). The optional cloud protection layer (CPL) shields email servers from inbound malware

and DoS attacks while filtering out normal spam before it ever touches the network’s perimeter.

2. Prerequisites • EventTracker v9.x should be installed.

• Barracuda Email security gateway VX600 or above should be installed and configured.

• An exception should be added into the windows firewall on the EventTracker machine for Syslog port 514.

3. Configuring Barracuda Email Security Gateway to

EventTracker 1. Log in to the Barracuda Web Filter web interface. 2. Select Advanced > Advanced Networking. 3. In the Syslog Configuration section, specify the IP address of the EventTracker in the Mail Syslog and Web Interface

Syslog fields. 4. Enter port 514 and select UDP protocol.

Figure 1

5. Click Add and save. The Syslog configuration is complete.

4


3.1 Barracuda Action Codes RECV And SCAN Services SEND Services

ID Meaning ID Meaning

0 Allowed Message 1 Delivered Message

1 Aborted Message 2 Rejected Message

2 Blocked Message 3 Deferred Message

3 Quarantined Message 4 Expired Message

4 Tagged Message

5 Deferred Message

6 Per-User Quarantined Message

7 Whitelisted Message

8 Encrypted Message

9 Redirected Message

10 Attachments Stubbed*

3.2 Barracuda Reason Codes RECV and SCAN Services

ID Meaning ID Meaning

1 Virus 50 Too Many Hops

2 Banned Attachment 51 Mail Protocol Error

3 RBL Match 55 Invalid Parameter Syntax

4 Rate Control 56 STARTTLS Syntax Error

5 Too Many Message in Session 57 TLS Already Active

6 Timeout Exceeded 58 Too Many Errors

7 No Such Domain 59 Need STARTTLS First

8 No Such User 60 Spam Fingerprint Found

9 Subject Filter Match 61 Barracuda Reputation Whitelist

11 Client IP 62 Barracuda Reputation Blocklist

12 Recipient Address 63 DomainKeys

13 No Valid Recipients 64 Recipient Verification Unavailable

14 Domain Not Found 65 Realtime Intent

15 Sender Address 66 Client Reverse DNS

17 Need Fully Qualified Recipient 67 Email Registry

18 Need Fully Qualified Sender 68 Invalid Bounce

19 Unsupported Command 69 Intent - Adult

20 MAIL FROM Syntax Error 70 Intent - Political

21 Bad Address Syntax 71 Multi-Level Intent

22 RCPT TO Syntax Error 72 Attachment Limit Exceeded

23 Send EHLO/HELO First 73 System Busy

24 Need MAIL Command 74 BRTS Intent

5


25 Nested MAIL Command 75 Per-Domain Recipient

27 EHLO/HELO Syntax Error 76 Per-Domain Sender

30 Mail Protocol Violation 77 Per-Domain Client IP

31 Score 78 Sender Spoofed

34 Header Filter Match 79 Attachment Content

35 Sender Block/Accept 80 Outlook Add-in

36 Recipient Block/Accept 82 Barracuda IP/Domain Reputation

37 Body Filter Match 83 Authentication Failure

38 Message Size Bypass 85 Attachment Size

39 Intention Analysis Match 86 Virus detected by Extended Malware Protection **

40 SPF/Caller-ID 87 Extended Malware Protection engine is busy **

41 Client Host Rejected 88 A message was categorized for Email Category**

44 Authentication Not Enabled 89 Macro Blocked*

45 Allowed Message Size Exceeded * Applies to version 8.0.1 and higher

46 Too Many Recipients ** Applies to version 6.1 and higher

47 Need RCPT Command ***With version 7.1.1, no longer used

48 DATA Syntax Error ****Applies to version 7.1.1.002 and higher

49 Internal Error

4. EventTracker Knowledge Pack Once logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.

The following Knowledge Packs are available in EventTracker to support Barracuda Email security gateway.

4.1 Flex Reports • Barracuda ESG – Virus detection in emails: Using this Report we can find the information related to virus in email

attachment with the action taken on the virus, sender, and receiver of the email.

6


Sample Report

Figure 2

Log sample

Figure 3

• Barracuda ESG- Action taken on malicious emails: This report provides information related to the action taken by the Barracuda Email Security Gateway on Virus found in the email attachment, spam emails or Authentication Failure. This report also provides detailed information about email sender address, recipient address, hostname and source IP address.

7


Sample Report

Figure 4

Log sample

Figure 5

• Barracuda ESG - Email Traffic details: This report provides detailed information on inbound, outbound, email scan and email statistics, including hostname, sender email address, recipient email, hostname, source IP address, the action was taken on malicious activity and subject of the email. Using this report, we can filter out Audit sensitive data to see who did what, when, where, and how, to satisfy audits for multiple industry regulatory requirements.

8


Sample Report

Figure 6

Log sample

9


Figure 7

4.2 Alerts

• Barracuda ESG: Virus detected in the email: This alert is generated when any virus detected in the email

attachment.

4.3 Saved Search • Barracuda ESG – Spam emails detection: This saved search provides information about the spam emails in

traffic, including the sender and recipient address and action taken on the email.

• Barracuda ESG – Virus detection in the email: This saved search provides the information about any

virus detected in the email attachment, also provide the details of sender and recipient address

4.4 Dashboards

• Barracuda ESG – Action taken on inbound emails:

Figure 8

10


• Barracuda ESG – Action taken on outbound emails:

Figure 9

• Barracuda ESG – Emails blocked by geo-location:

Figure 10

11


• Barracuda ESG – Emails statistics:

Figure 11

• Barracuda ESG – Emails virus detection by sender address:

Figure 12

12


• Barracuda ESG – Spam emails detail:

Figure 13

5. Importing Barracuda Email Security Gateway

knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:

• Alerts

• Categories

• Token Templets.

• Knowledge Object.

• Flex Reports.

• Dashboard.

1. Launch the EventTracker Control Panel.

2. Double click Export-Import Utility.

13


Figure 14

3. Click the Import tab.

5.1 Alerts 1. Click on Alert option, and then click the browse button.

Figure 15

2. Locate Alerts_Barracuda ESG.isalt file, and then click the open button.

14


3. To import alerts, click the Import button.

4. EventTracker displays a success message.

Figure 16

5. Click the OK button, and then click the Close button.

Category 1. Click the Category option, and then click the browse button.

Figure 17

2. Locate Category_Barracuda ESG.iscat file, and then click the Open button.

3. To import categories, click the Import button. EventTracker displays a success message.

15


Figure 18

4. Click OK, and then click the Close button.

5.2 Token Template 1. Login to the EventTracker Console.

2. Click on Admin >> Parsing Rules.

Figure 19

3. Click on Template and click import configuration Symbol.

Figure 20

4. Locate the “.ettd” file and click on import.

16


Figure 21

5. Templates are imported now successfully.

Figure 22

5.3 Knowledge Object 1. Click Knowledge objects under the Admin option in the EventTracker manager page.

17


Figure 23

2. Next, click on the “import object” icon:

Figure 24

3. A pop-up box will appear, click “Browse” in that and navigate to the file path with extension “.etko” button”

Figure 25

4. A list of available knowledge objects will appear. Select the relevant files and click on “Import” button:

18


Figure 26

5. Knowledge objects are now imported successfully.

5.4 Flex Reports 1. In the EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click

Reports option, and choose “New (*.etcrx)”:

Figure 27

19


2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click the “Select File” button and navigate to the file path with a file having the extension “.etcrx”. Select all the relevant files and then click the Import button.

Figure 28

3. EventTracker displays a success message:

Figure 29

5.5 Dashboard 1. Login to EventTracker.

2. Navigate to Dashboard → My Dashboard.

3. In “My Dashboard”, click Import Button:

20


Figure 30

Figure 31

4. Select the Browse button and navigate to the file path where the dashboard file is saved and click on

the “Upload” button.

5. Once completed, choose “Select All” and click on “Import” Button.

Figure 32

21


6. Next, click “Customize dashlet” button as shown below:

Figure 33

7. Now, put a text on the Search bar: “TM Worry-Free” and then select the Barracuda Email Security

Gateway dashlets and then click the “Add” button.

Figure 34

6. Verifying Barracuda Email Security Gateway

knowledge pack in EventTracker

6.1 Token Template 1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing Rules.

2. In the Parsing Rule tab select Template, click on the “Barracuda Email Security Gateway” group folder

to view the imported templates.

Figure 35

22


6.2 Knowledge Object 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.

2. In the Knowledge Object tree, expand the “Trend Micro Worry Free” group folder to view the imported

Knowledge objects.

Figure 36

6.3 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.

Figure 37

2. In Reports Configuration pane, select the Defined option.

3. Click on the Barracuda Email Security Gateway group folder to view the imported reports.

23


Figure 38

6.4 Dashboard 1. In the EventTracker web interface, Click on Home Button and select “My Dashboard”.

Figure 39

2. In the “Barracuda Email Security Gateway” dashboard you should be now able to see something like

this.

Figure 40

Documents

Integrate Barracuda Email Security Gateway · 2019-12-06 · 7 Integrate Barracuda Email Security Gateway Sample Report Figure 4 Log sample Figure 5 • Barracuda ESG - Email Traffic