Upload
others
View
30
Download
0
Embed Size (px)
Citation preview
Integrate Barracuda Email Security Gateway EventTracker v9.x and above
Publication Date: December 5, 2019
1
Integrate Barracuda Email Security Gateway
Abstract
This guide provides instructions to retrieve Barracuda email security gateway event logs and integrate it with
EventTracker. Once EventTracker is configured to collect and parse these logs, dashboard and reports can be
configured to monitor Barracuda email security gateway.
Audience
The configurations detailed in this guide are consistent with EventTracker version v9.x or above and Barracuda
Email Security Gateway VX600 or above.
The information contained in this document represents the current view of Netsurion on the issues
discussed as of the date of publication. Because Netsurion must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion
cannot guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR
IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from Netsurion, if
its content is unaltered, nothing is added to the content and credit to Netsurion is provided.
Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Netsurion, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or should
be inferred.
© 2019 Netsurion. All rights reserved. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
2
Integrate Barracuda Email Security Gateway
Table of Contents 1. Overview ........................................................................................................................................................ 3
2. Prerequisites .................................................................................................................................................. 3
3. Configuring Barracuda Email Security Gateway to EventTracker ................................................................. 3
3.1 Barracuda Action Codes: ........................................................................................................................ 4
3.2 Barracuda Reason Codes ........................................................................................................................ 4
4. EventTracker Knowledge Pack ...................................................................................................................... 5
4.1 Flex Reports ............................................................................................................................................ 5
4.2 Alerts ....................................................................................................................................................... 9
4.3 Saved Search ........................................................................................................................................... 9
4.4 Dashboards ............................................................................................................................................. 9
5. Importing Barracuda Email Security Gateway knowledge pack into EventTracker .................................... 12
5.1 Alerts ..................................................................................................................................................... 13
5.2 Token Template .................................................................................................................................... 15
5.3 Knowledge Object ................................................................................................................................. 16
5.4 Flex Reports .......................................................................................................................................... 18
5.5 Dashboard ............................................................................................................................................. 19
6. Verifying Barracuda Email Security Gateway knowledge pack in EventTracker ......................................... 21
6.1 Token Template .................................................................................................................................... 21
6.2 Knowledge Object ................................................................................................................................. 22
6.3 Flex Reports .......................................................................................................................................... 22
6.4 Dashboard ............................................................................................................................................. 23
3
Integrate Barracuda Email Security Gateway
1. Overview The Barracuda Email Security Gateway is an integrated hardware and software solution designed to protect your email
server from spam, virus, spoofing, phishing and spyware attacks. Outbound filtering and encryption options also prevent
Data Leakage Prevention (DLP). The optional cloud protection layer (CPL) shields email servers from inbound malware
and DoS attacks while filtering out normal spam before it ever touches the network’s perimeter.
2. Prerequisites • EventTracker v9.x should be installed.
• Barracuda Email security gateway VX600 or above should be installed and configured.
• An exception should be added into the windows firewall on the EventTracker machine for Syslog port 514.
3. Configuring Barracuda Email Security Gateway to
EventTracker 1. Log in to the Barracuda Web Filter web interface. 2. Select Advanced > Advanced Networking. 3. In the Syslog Configuration section, specify the IP address of the EventTracker in the Mail Syslog and Web Interface
Syslog fields. 4. Enter port 514 and select UDP protocol.
Figure 1
5. Click Add and save. The Syslog configuration is complete.
4
Integrate Barracuda Email Security Gateway
3.1 Barracuda Action Codes RECV And SCAN Services SEND Services
ID Meaning ID Meaning
0 Allowed Message 1 Delivered Message
1 Aborted Message 2 Rejected Message
2 Blocked Message 3 Deferred Message
3 Quarantined Message 4 Expired Message
4 Tagged Message
5 Deferred Message
6 Per-User Quarantined Message
7 Whitelisted Message
8 Encrypted Message
9 Redirected Message
10 Attachments Stubbed*
3.2 Barracuda Reason Codes RECV and SCAN Services
ID Meaning ID Meaning
1 Virus 50 Too Many Hops
2 Banned Attachment 51 Mail Protocol Error
3 RBL Match 55 Invalid Parameter Syntax
4 Rate Control 56 STARTTLS Syntax Error
5 Too Many Message in Session 57 TLS Already Active
6 Timeout Exceeded 58 Too Many Errors
7 No Such Domain 59 Need STARTTLS First
8 No Such User 60 Spam Fingerprint Found
9 Subject Filter Match 61 Barracuda Reputation Whitelist
11 Client IP 62 Barracuda Reputation Blocklist
12 Recipient Address 63 DomainKeys
13 No Valid Recipients 64 Recipient Verification Unavailable
14 Domain Not Found 65 Realtime Intent
15 Sender Address 66 Client Reverse DNS
17 Need Fully Qualified Recipient 67 Email Registry
18 Need Fully Qualified Sender 68 Invalid Bounce
19 Unsupported Command 69 Intent - Adult
20 MAIL FROM Syntax Error 70 Intent - Political
21 Bad Address Syntax 71 Multi-Level Intent
22 RCPT TO Syntax Error 72 Attachment Limit Exceeded
23 Send EHLO/HELO First 73 System Busy
24 Need MAIL Command 74 BRTS Intent
5
Integrate Barracuda Email Security Gateway
25 Nested MAIL Command 75 Per-Domain Recipient
27 EHLO/HELO Syntax Error 76 Per-Domain Sender
30 Mail Protocol Violation 77 Per-Domain Client IP
31 Score 78 Sender Spoofed
34 Header Filter Match 79 Attachment Content
35 Sender Block/Accept 80 Outlook Add-in
36 Recipient Block/Accept 82 Barracuda IP/Domain Reputation
37 Body Filter Match 83 Authentication Failure
38 Message Size Bypass 85 Attachment Size
39 Intention Analysis Match 86 Virus detected by Extended Malware Protection **
40 SPF/Caller-ID 87 Extended Malware Protection engine is busy **
41 Client Host Rejected 88 A message was categorized for Email Category**
44 Authentication Not Enabled 89 Macro Blocked*
45 Allowed Message Size Exceeded * Applies to version 8.0.1 and higher
46 Too Many Recipients ** Applies to version 6.1 and higher
47 Need RCPT Command ***With version 7.1.1, no longer used
48 DATA Syntax Error ****Applies to version 7.1.1.002 and higher
49 Internal Error
4. EventTracker Knowledge Pack Once logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.
The following Knowledge Packs are available in EventTracker to support Barracuda Email security gateway.
4.1 Flex Reports • Barracuda ESG – Virus detection in emails: Using this Report we can find the information related to virus in email
attachment with the action taken on the virus, sender, and receiver of the email.
6
Integrate Barracuda Email Security Gateway
Sample Report
Figure 2
Log sample
Figure 3
• Barracuda ESG- Action taken on malicious emails: This report provides information related to the action taken by the Barracuda Email Security Gateway on Virus found in the email attachment, spam emails or Authentication Failure. This report also provides detailed information about email sender address, recipient address, hostname and source IP address.
7
Integrate Barracuda Email Security Gateway
Sample Report
Figure 4
Log sample
Figure 5
• Barracuda ESG - Email Traffic details: This report provides detailed information on inbound, outbound, email scan and email statistics, including hostname, sender email address, recipient email, hostname, source IP address, the action was taken on malicious activity and subject of the email. Using this report, we can filter out Audit sensitive data to see who did what, when, where, and how, to satisfy audits for multiple industry regulatory requirements.
8
Integrate Barracuda Email Security Gateway
Sample Report
Figure 6
Log sample
9
Integrate Barracuda Email Security Gateway
Figure 7
4.2 Alerts
• Barracuda ESG: Virus detected in the email: This alert is generated when any virus detected in the email
attachment.
4.3 Saved Search • Barracuda ESG – Spam emails detection: This saved search provides information about the spam emails in
traffic, including the sender and recipient address and action taken on the email.
• Barracuda ESG – Virus detection in the email: This saved search provides the information about any
virus detected in the email attachment, also provide the details of sender and recipient address
4.4 Dashboards
• Barracuda ESG – Action taken on inbound emails:
Figure 8
10
Integrate Barracuda Email Security Gateway
• Barracuda ESG – Action taken on outbound emails:
Figure 9
• Barracuda ESG – Emails blocked by geo-location:
Figure 10
11
Integrate Barracuda Email Security Gateway
• Barracuda ESG – Emails statistics:
Figure 11
• Barracuda ESG – Emails virus detection by sender address:
Figure 12
12
Integrate Barracuda Email Security Gateway
• Barracuda ESG – Spam emails detail:
Figure 13
5. Importing Barracuda Email Security Gateway
knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence:
• Alerts
• Categories
• Token Templets.
• Knowledge Object.
• Flex Reports.
• Dashboard.
1. Launch the EventTracker Control Panel.
2. Double click Export-Import Utility.
13
Integrate Barracuda Email Security Gateway
Figure 14
3. Click the Import tab.
5.1 Alerts 1. Click on Alert option, and then click the browse button.
Figure 15
2. Locate Alerts_Barracuda ESG.isalt file, and then click the open button.
14
Integrate Barracuda Email Security Gateway
3. To import alerts, click the Import button.
4. EventTracker displays a success message.
Figure 16
5. Click the OK button, and then click the Close button.
Category 1. Click the Category option, and then click the browse button.
Figure 17
2. Locate Category_Barracuda ESG.iscat file, and then click the Open button.
3. To import categories, click the Import button. EventTracker displays a success message.
15
Integrate Barracuda Email Security Gateway
Figure 18
4. Click OK, and then click the Close button.
5.2 Token Template 1. Login to the EventTracker Console.
2. Click on Admin >> Parsing Rules.
Figure 19
3. Click on Template and click import configuration Symbol.
Figure 20
4. Locate the “.ettd” file and click on import.
16
Integrate Barracuda Email Security Gateway
Figure 21
5. Templates are imported now successfully.
Figure 22
5.3 Knowledge Object 1. Click Knowledge objects under the Admin option in the EventTracker manager page.
17
Integrate Barracuda Email Security Gateway
Figure 23
2. Next, click on the “import object” icon:
Figure 24
3. A pop-up box will appear, click “Browse” in that and navigate to the file path with extension “.etko” button”
Figure 25
4. A list of available knowledge objects will appear. Select the relevant files and click on “Import” button:
18
Integrate Barracuda Email Security Gateway
Figure 26
5. Knowledge objects are now imported successfully.
5.4 Flex Reports 1. In the EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, click
Reports option, and choose “New (*.etcrx)”:
Figure 27
19
Integrate Barracuda Email Security Gateway
2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click the “Select File” button and navigate to the file path with a file having the extension “.etcrx”. Select all the relevant files and then click the Import button.
Figure 28
3. EventTracker displays a success message:
Figure 29
5.5 Dashboard 1. Login to EventTracker.
2. Navigate to Dashboard → My Dashboard.
3. In “My Dashboard”, click Import Button:
20
Integrate Barracuda Email Security Gateway
Figure 30
Figure 31
4. Select the Browse button and navigate to the file path where the dashboard file is saved and click on
the “Upload” button.
5. Once completed, choose “Select All” and click on “Import” Button.
Figure 32
21
Integrate Barracuda Email Security Gateway
6. Next, click “Customize dashlet” button as shown below:
Figure 33
7. Now, put a text on the Search bar: “TM Worry-Free” and then select the Barracuda Email Security
Gateway dashlets and then click the “Add” button.
Figure 34
6. Verifying Barracuda Email Security Gateway
knowledge pack in EventTracker
6.1 Token Template 1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing Rules.
2. In the Parsing Rule tab select Template, click on the “Barracuda Email Security Gateway” group folder
to view the imported templates.
Figure 35
22
Integrate Barracuda Email Security Gateway
6.2 Knowledge Object 1. In the EventTracker web interface, click the Admin dropdown, and then click Knowledge Objects.
2. In the Knowledge Object tree, expand the “Trend Micro Worry Free” group folder to view the imported
Knowledge objects.
Figure 36
6.3 Flex Reports 1. In the EventTracker web interface, click the Reports menu, and then select the Report Configuration.
Figure 37
2. In Reports Configuration pane, select the Defined option.
3. Click on the Barracuda Email Security Gateway group folder to view the imported reports.
23
Integrate Barracuda Email Security Gateway
Figure 38
6.4 Dashboard 1. In the EventTracker web interface, Click on Home Button and select “My Dashboard”.
Figure 39
2. In the “Barracuda Email Security Gateway” dashboard you should be now able to see something like
this.
Figure 40