Skip to content

Barracuda WAF

Barracuda WAF

About

Barracuda Web Application Firewall protects applications, APIs, and mobile app backends against a variety of attacks including the OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks. By combining signature-based policies and positive security with robust anomaly-detection capabilities, Barracuda Web Application Firewall can defeat today’s most sophisticated attacks targeting your web applications.

Product Details

Vendor URL: Barracuda WAF

Product Type: Web Access Firewall

Product Tier: Tier II

Integration Method: Custom

Integration URL: N/A

Log Guide: N/A

Parser Details

Log Format: CEF

Expected Normalization Rate: 95%

Data Label: BARRACUDA_WAF

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"Barracuda" metadata.vendor_name
"WAF" metadata.product_name
dvc observer.ip
dhost target.hostname
dpt target.port
dst target.ip
destinationServiceName target.namespace
src principal.ip
spt principal.port
requestMethod network.http.method
outcome network.http.response_code

Product Event Types

Event UDM Event Classification
All Events NETWORK_CONNECTION

Log Sample

1550 <140>1 2022-01-20T00:13:00.845000Z Barracuda - - - - CEF:0|BarracudaNetworks|WAAS|BNWAS-1.0|WAF|WAF|4| cat=TR dvc=10.1.1.1 duser="-" in=2729 out=1030 suser="-" src=10.1.1.1 spt=52758 requestCookies=website.com=382931116.20480.0000; TS01f957cc=013b14e44df483a455159eca6695c9a09a0b11a010ba971f4a8a043d5471b5d5e188384f99d2fbd60f864e88102e4e8a3fa987518d84d62d28c288ec66fefdad0a14ac0051fc79ada1ffe9e68f821b941a945e12badd48caf77 dhost=website.com outcome=200 suid="-" requestMethod=POST app=TLSv1.2 msg="-" requestContext=website.com 11:17:12 AM dst=10.1.1.1 dpt=443 rt=1642637580845 request=/NewYorkNetworkManagement/ClientBin/Ctc-Core-Notifications-Transport-NotificationServerService.svc/binary/GetNotifications requestClientApplication="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko" dvchost=10.1.1.1 cs1Label=ClientType cs1=%ct cs2Label=Protected cs2=PROTECTED cs3Label=ProxyIP cs3=10.1.1.1 cs4Label=ProfileMatched cs4=DEFAULT cs6Label=WFMatched cs6=VALID cn1Label=ServicePort cn1=9175 cn2Label=CacheHit cn2=0 cn3Label=ProxyPort cn3=43804 flexNumber1Label=ServerTime(ms) flexNumber1=44 flexNumber2Label=TimeTaken(ms) flexNumber2=45 flexString1Label=ProtocolVersion flexString1=HTTP/1.1 BarracudaWafCustomHeader1="-" BarracudaWafCustomHeader2="-" BarracudaWafCustomHeader3="-" BarracudaWafResponseType=SERVER BarracudaWafSessionID="-" destinationServiceName=namespace

Sample Parsing

metadata.event_timestamp = "2022-01-20T00:15:15.177416Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Barracuda"
metadata.product_name = "WAF"
metadata.ingested_timestamp = "2022-01-20T00:15:15.177416Z"
principal.ip = "10.1.1.1"
principal.port = 52758
principal.asset.ip = "10.1.1.1"
target.hostname = "website.com"
target.ip = "10.1.1.1"
target.port = 443
target.namespace = "namespace"
target.asset.ip = "10.1.1.1"
observer.ip = "10.1.1.1"
network.http.method = "POST"
network.http.response_code = 200