Array Networks Web Application Firewall¶
About¶
Array web application firewalls provide a flexible and precise tool for securing business-critical resources. Commonly deployed along with load balancing and app delivery solutions, the ASF detects and blocks attacks including the OWASP Top 10, WASC, Layer 7 DDoS, and zero-day attacks with pinpoint accuracy. It ensures continuous security for applications and infrastructure while supporting compliance with security standards including PCI DSS.
Product Details¶
Vendor URL: Array Networks
Product Type: Web Application firewall
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Cyderes Documentation
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: ARRAY_NETWORKS_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| act | security_result.action_details |
| act | security_result.action |
| atkdata | security_result.detection_fields |
| atkmsg | security_result.summary |
| atktype | security_result.category_details |
| cmd | target.process.command_line |
| Content-Length | additional.fields |
| Content-Type | additional.fields |
| CSRF_TOKEN_COOKIE | security_result.detection_fields |
| detmod | metadata.description |
| Host | target.hostname |
| Host | security_result.about.ip |
| Host | security_result.about.hostname |
| httpcode | network.http.response_code |
| Origin | principal.hostname |
| port | security_result.about.port |
| protype/protocol | network.application_protocol |
| Referer | network.http.referral_url |
| reqheader | network.http.method |
| reqheader | target.url |
| reqheader | network.application_protocol_version |
| response_size | network.received_bytes |
| rsip/dip | target.ip |
| rsport/dport | target.port |
| ruleID | security_result.rule_id |
| severity | security_result.severity_details |
| sip | principal.ip |
| sport | principal.port |
| srv/sname | network.dhcp.sname |
| srvip | observer.ip |
| srvport | observer.port |
| tranID | additional.fields |
| User | principal.user.userid |
| User-Agent | network.http.user_agent |
| wname | observer.hostname |
| X-Requested-With | additional.fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Else | NETWORK_CONNECTION |
| Generic | GENERIC_EVENT |
| Invalid Request | NETWORK_UNCATEGORIZED |
| WAF_audit | NETWORK_HTTP |
Log Sample¶
<132>2024 Jul 19 15:17:23 WARNING 100041029 WAF attack: sip="10.0.0.0" sport=47089 dip="0.0.0.100" dport=9464 sname="AA_PRD_VIP_123" wname="WAF_AA_BB_CC" atktype="Positive" tranID="aBx0Abc01GfU123" ruleID="1000" act="Pass" host="example-abc.example.net" method="POST" url="/Web/example/ui/ticket/SearchEditTicketsDetail.htm" pending="-" protype="HTTP" detmod="Detected threats by positive WAF" atkmsg="Detected sql keywords in BODY|NAME" atkdata="ticketsector.fromcity"
Sample Parsing¶
additional.fields["tranID"] = "aBx0Abc01GfU123"
metadata.description = "Detected threats by positive WAF"
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "ARRAY_NETWORKS_WAF"
metadata.product_event_type = "WAF_attack"
metadata.product_log_id = "100041029"
metadata.product_name = "WAF"
metadata.vendor_name = "Array Networks"
network.application_protocol = "HTTP"
network.dhcp.sname = "AA_PRD_VIP_123"
network.http.method = "POST"
observer.hostname = "WAF_AA_BB_CC"
principal.ip = "10.0.0.0"
principal.port = 47089
security_result.action_details = "Pass"
security_result.action = "ALLOW"
security_result.category_details = "Positive"
security_result.detection_fields.key = "atkdata"
security_result.detection_fields.value = "ticketsector.fromcity"
security_result.rule_id = "1000"
security_result.severity = "MEDIUM"
security_result.severity_details = "WARNING"
security_result.summary = "Detected sql keywords in BODY|NAME"
target.ip = "0.0.0.100"
target.hostname = "example-abc.example.net"
target.port = 9464
target.url = "/Web/example/ui/ticket/SearchEditTicketsDetail.htm"