Embed Size (px)
Citation preview
Micro Focus Common Event Format Integration Guide Barracuda Networks Barracuda Web Application Firewall Date: February 01, 2017
Integration Guide
2
Contents Contents...............................................................................................................................................................2 Revision History ....................................................................................................................................................3 Barracuda Networks Integration Guide .................................................................................................................4 Joint Solution Overview ........................................................................................................................................4 CEF Integration .....................................................................................................................................................4 1. Configuration of Barracuda WAF to output CEF events .................................................................................4 2. Screenshot ...................................................................................................................................................5 3. Events ..........................................................................................................................................................8 4. Device Event Mapping to ArcSight Data Fields ..............................................................................................8 ArcSight Content for Barracuda Web Application Firewall...................................................................................11 Prerequisites ......................................................................................................................................................11 Support ..............................................................................................................................................................11 Additional ArcSight Documentation ....................................................................................................................12
3
ArcSight Integration Guide This document is provided for informational purposes only, and the information herein is subject to change without notice. Please report any errors herein to Micro Focus. Micro Focus does not provide any warranties covering this information and specifically disclaims any liability in connection with this document. Certified Integration: The integration complies with the requirements of the Micro Focus Technology Alliance Partner program. For inbound integrations, the Micro Focus ArcSight CEF connector will be able to process the events correctly and the events will be available for use within Micro Focus’ ArcSight product. In addition, the event content has been deemed to be in accordance with standard SmartConnector requirements. For action and outbound integrations, the integration establishes outbound communications from Micro Focus ArcSight to a third party platform. The integration has been tested and demonstrated to Micro Focus by the third party.
Revision History
Date Description
01/25/2017 First edition of this Configuration Guide.
01/30/2017 Version 900 Certified by Micro Focus Security
4
Barracuda Networks Integration Guide
This guide provides information for configuring the Barracuda Networks -Barracuda Web Application Firewall (WAF) integration for ArcSight ESM. Barracuda WAF version(s) 900 is supported.
Joint Solution Overview The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP or HTTPs responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content.
CEF Integration
1. Configuration of Barracuda WAF to output CEF events Adding a Syslog Server
1. Go to the ADVANCED > Export Logs page. 2. In the Export Logs section, click Add Export Log Server. The Add Export Log Server window appears, specify values for the following: a. Name– Enter a name for the syslog NG server. b. Log Server Type - Select Syslog NG. c. IP Address or Hostname – Enter the IP address or the hostname of the HP ArcSight ESM server. d. Port – Enter the port associated with the IP address of the HP ArcSight ESM server. e. Connection Type – Select the connection type to transmit the logs from the Barracuda Web Application Firewall to the HP ArcSight ESM server. Default 1514 port for UDP or 1701 port for TCP. f. Validate Server Certificate – Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. g. Client Certificate – When set to Yes, the Barracuda Web Application Firewall presents the certificate while connecting to the syslog server. h. Certificate – Select a certificate for the Barracuda Web Application Firewall to present when connecting to the syslog server. Certificates can be uploaded on the BASIC > Certificates page. For more information on how to upload a certificate, see How to Add an SSL Certificate. i. Log Timestamp and Hostname - Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section. 3. Click add.
Configuring ArcSight Format for Logs
1. Go to the ADVANCED > Export Logs page. 2. In the Logs Format section, select the ArcSight logs format for all the logs: a. Syslog Header: Select ArcSight Log Header. b. Web Firewall Logs Format: Select HPE ArcSight CEF:0
5
c. Access Logs Format: Select HPE ArcSight CEF:0 d. Audit Logs Format: Select HPE ArcSight CEF:0 e. Network Firewall Logs Format: Select HPE ArcSight CEF:0 f. System Logs Format: Select HPE ArcSight CEF:0 3. Click Save.
2. Screenshot Access Log Events
6
Audit Log Events
Network Firewall Log Events
7
System Log Events
Web Firewall Log Events
8
3. Events To view the system log messages and the associated event IDs, refer to the System Log Messages article in the Barracuda Web Application firewall Documentation. To view the detailed list of attack actions, refer to the Attacks Description – Action Policy article in the Barracuda Web Application Firewall Documentation.
4. Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field. The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions. Barracuda WAF – Access Logs Connector Field Mappings
Vendor-Specific Event Definition ArcSight Event Data Field
Service IP (%ai) dvc
Service Port (%ap) cn1
Authenticated User (%au) duser
Bytes Received (%br) in
Bytes Sent (%bs) out
Cache Hit (%ch) cn2
Certificate User (%cu) suser
Client IP (%ci) src
Client Port (%cp) spt
Cookie (%c) requestCookies
Client Type (%ct) cs1
Custom Header 1 (%cs1) BarracudaWafCustomHeader1
Custom Header 2 (%cs2) BarracudaWafCustomHeader2
Custom Header 3 (%cs3) BarracudaWafCustomHeader3
Host (%h) dhost
HTTP Status (%s) outcome
Login ID (%id) suid
Log Type (%lt) cat
Method (%m) requestMethod
Protocol (%p) app
Protected (%pf) cs2
Proxy IP (%px) cs3
9
Vendor-Specific Event Definition ArcSight Event Data Field
Profile Matched (%pmf) cs4
Proxy Port (%pp) cn3
Query String msg
Referer (%r) requestContext
Response Type (%rtf) BarracudaWafResponseType
Session ID (%sid) BarracudaWafSessionID
Server IP dst
Server Port (%sp) dpt
Server Time (%st) flexNumber1
Epoch/Unix Time Stamp (%tarc) rt
Time Taken (%tt) flexNumber2
URL (%u) request
User Agent (%ua) requestClientApplication
Unit Name (%un) dvchost
Unique ID (%uid) externalId
Version (%v) flexString1
WF Matched (%wmf) cs6
Web Firewall Logs dst
Service IP (%ai) dpt
Service Port (%ap) act
Action (%at) msg
Attack Details (%adl) cs4
Attack Group (%ag) duser
Authenticated User (%au) src
Client IP (%ci) spt
Client Port (%cp) cs2
Follow-up Action (%fa) dst
Log Type (%lt) cat
Method (%m) requestMethod
Protocol (%p) app
Proxy IP (%px) cs5
Proxy Port (%pp) cn2
10
Vendor-Specific Event Definition ArcSight Event Data Field
Referer (%r) requestContext
Rule ID (%ri) cs1
Rule Type (%rt) cs3
Session ID (%sid) cs6
Severity (%sl) In Header as "SEVERITY"
Time (%t) start
Epoch/Unix Time Stamp (%tarc) rt
URL (%u) request
User Agent (%ua) requestClientApplication
Unit Name (%un) dvchost
Unique ID (%uid) externalId
Audit Logs
Additional Data (%add) msg
Admin Name (%an) duser
Change Type (%cht) outcome
Client Type (%ct) requestClientApplication
Command Name (%cn) deviceProcessName
Login IP (%li) src
Login Port (%lp) spt
Log Type (%lt) cat
New Value (%nv) cs1
Object Name (%on) fname
Object Type (%ot) fileType
Old Value (%ov) cs2
Time (%t) start
Epoch/Unix Time Stamp (%tarc) rt
Transaction ID (%tri) cn1
Unit Name (%un) dvchost
Variable (%var) cs3
Network Firewall Logs
Action ID (%act) act
Details (%dsc) cs1
11
Vendor-Specific Event Definition ArcSight Event Data Field
Destination IP (%di) dst
Destination Port (%dp) dpt
Log Type (%lt) cat
Protocol (%p) proto
Source IP (%srci) src
Source Port (%srcp) spt
Time (%t) start
Epoch/Unix Time Stamp (%tarc) rt
Unit Name (%un) dvchost
System Logs
Event ID (%ei) externalId
Log Type (%lt) cat
Message (%ms) msg
Epoch/Unix Time Stamp (%tarc) rt
Time (%t) start
Unit Name (%un) dvchost
ArcSight Content for Barracuda Web Application Firewall
Prerequisites
Product Name Version Information Operating System
Micro Focus ArcSight
Support Integration support information when an issue is outside of the ArcSight team’s scope In some cases the ArcSight customer service team is unable to help with issues that lie within the configuration itself in which case the certified vendor should be contacted for assistance: Barracuda Networks Customer Support Instructions – To contact Barracuda Networks online from any locale: • Visit Barracuda Support for regional contact information. You can also click Create a Support Case. • Barracuda Networks Community Forum: Here you can post and answer other users' questions; visit Barracuda Community Forum to log in or create a new Barracuda Networks Community Forum account.
12
Additional ArcSight Documentation For more information about the joint solution, visit the Micro Focus ArcSight Marketplace: https://marketplace.microfocus.com/arcsight/category/partner-integrations For more information about Micro Focus Security ArcSight ESM: https://software.microfocus.com/en-us/software/siem-security-information-event-management
