Barracuda WAF¶
About¶
Barracuda Web Application Firewall protects applications, APIs, and mobile app backends against a variety of attacks including the OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks. By combining signature-based policies and positive security with robust anomaly-detection capabilities, Barracuda Web Application Firewall can defeat today’s most sophisticated attacks targeting your web applications.
Product Details¶
Vendor URL: Barracuda WAF
Product Type: Web Access Firewall
Product Tier: Tier II
Integration Method: Custom
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 95%
Data Label: BARRACUDA_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "Barracuda" | metadata.vendor_name |
| "WAF" | metadata.product_name |
| dvc | observer.ip |
| dhost | target.hostname |
| dpt | target.port |
| dst | target.ip |
| destinationServiceName | target.namespace |
| src | principal.ip |
| spt | principal.port |
| requestMethod | network.http.method |
| outcome | network.http.response_code |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All Events | NETWORK_CONNECTION |
Log Sample¶
1550 <140>1 2022-01-20T00:13:00.845000Z Barracuda - - - - CEF:0|BarracudaNetworks|WAAS|BNWAS-1.0|WAF|WAF|4| cat=TR dvc=10.1.1.1 duser="-" in=2729 out=1030 suser="-" src=10.1.1.1 spt=52758 requestCookies=website.com=382931116.20480.0000; TS01f957cc=013b14e44df483a455159eca6695c9a09a0b11a010ba971f4a8a043d5471b5d5e188384f99d2fbd60f864e88102e4e8a3fa987518d84d62d28c288ec66fefdad0a14ac0051fc79ada1ffe9e68f821b941a945e12badd48caf77 dhost=website.com outcome=200 suid="-" requestMethod=POST app=TLSv1.2 msg="-" requestContext=website.com 11:17:12 AM dst=10.1.1.1 dpt=443 rt=1642637580845 request=/NewYorkNetworkManagement/ClientBin/Ctc-Core-Notifications-Transport-NotificationServerService.svc/binary/GetNotifications requestClientApplication="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko" dvchost=10.1.1.1 cs1Label=ClientType cs1=%ct cs2Label=Protected cs2=PROTECTED cs3Label=ProxyIP cs3=10.1.1.1 cs4Label=ProfileMatched cs4=DEFAULT cs6Label=WFMatched cs6=VALID cn1Label=ServicePort cn1=9175 cn2Label=CacheHit cn2=0 cn3Label=ProxyPort cn3=43804 flexNumber1Label=ServerTime(ms) flexNumber1=44 flexNumber2Label=TimeTaken(ms) flexNumber2=45 flexString1Label=ProtocolVersion flexString1=HTTP/1.1 BarracudaWafCustomHeader1="-" BarracudaWafCustomHeader2="-" BarracudaWafCustomHeader3="-" BarracudaWafResponseType=SERVER BarracudaWafSessionID="-" destinationServiceName=namespace
Sample Parsing¶
metadata.event_timestamp = "2022-01-20T00:15:15.177416Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Barracuda"
metadata.product_name = "WAF"
metadata.ingested_timestamp = "2022-01-20T00:15:15.177416Z"
principal.ip = "10.1.1.1"
principal.port = 52758
principal.asset.ip = "10.1.1.1"
target.hostname = "website.com"
target.ip = "10.1.1.1"
target.port = 443
target.namespace = "namespace"
target.asset.ip = "10.1.1.1"
observer.ip = "10.1.1.1"
network.http.method = "POST"
network.http.response_code = 200
Rules¶
Coming Soon