Radware WAF¶
About¶
Radware’s Web Application Firewall, ensures fast, reliable and secure delivery of mission-critical Web applications and APIs for corporate networks and in the cloud.
Product Details¶
Vendor URL: www.radware.com
Product Type: Web Application Firewall
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: RADWARE_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
transId | metadata.product_log_id |
title | metadata.description |
host | target.url |
host | target.hostname |
host | target.ip |
host | target.asset.ip |
destinationPort | target.port |
uri | target.file.full_path |
violationType | security_result.description |
violationCategory | security_result.summary |
targetModule | security_result.rule_name |
tunnel | security_result.rule_id |
owaspCategory2017 | security_result.category_details |
protocol | network.application_protocol |
request | network.http.method |
User-Agent | network.http.user_agent |
X-RDWR-PORT | principal.port |
X-RDWR-IP | principal.ip |
X-RDWR-IP | principal.asset.ip |
sourceIp | observer.ip |
sourcePort | intermediary.port |
Product Event Types¶
eventType | UDM Event Classification |
---|---|
ALL | NETWORK_HTTP |
Log Sample¶
- [AppWallAttackSysLogMessage action="Modified" appPath="/robots.txt" appWallTimeStamp="1656047623839" awVersion="7.6.15.10" destinationIp="10.10.0.2" destinationPort="54011" devType="Cluster Gateway Node" directory="/" enrichmentContainer="{owaspCategory=null,geoLocation={countryCode=--},owaspCategory2017=A3,contractId=aaaa-bbbb-1111-2222,applicationId=aaaa-bbbb-1111-2222,tenant=aaaa-bbbb-1111-2222}" externalIp="10.10.0.1" host="www.domain.com" method="N/A" module="Tunnel Module" passive="true" protocol="HTTP" receivedTimeStamp="1656047637909" request="GET /robots.txt HTTP/1.1
Accept-Encoding: gzip
Host: www.domainname.com
X-RDWR-IP: 10.10.0.1
X-RDWR-PORT: 39776
X-RDWR-PORT-MM-ORIG-FE-PORT: 443
X-RDWR-PORT-MM: 443
User-Agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
From: support@search.domain.ru
Accept: */*
ShieldSquare-Response: 0
" role="public" security="true" severity="Low" sourceIp="10.10.0.3" sourcePort="64347" targetModule="Tunnel Module" title="Empty response page returned to the web user" transId="aaaabbbb" tunnel="rule_id" uri="/robots.txt" user="public" vhost="<any host>" violationCategory="Information Leakage" violationType="Server Information Leakage" webApp="Web Applications - All"]
Sample Parsing¶
metadata.product_log_id = "aaaabbbb"
metadata.event_timestamp = "2022-06-24T05:13:57.909Z"
metadata.event_type = "NETWORK_HTTP"
metadata.description = "Empty response page returned to the web user"
principal.ip = "10.10.0.1"
principal.port = 39776
principal.asset.ip = "10.10.0.1"
target.hostname = "www.domain.com"
target.ip = "10.10.0.2"
target.port = 54011
target.url = "www.domain.com"
target.file.full_path = "/robots.txt"
target.asset.hostname = "www.domain.com"
target.asset.ip = "10.10.0.2"
intermediary.ip = "10.10.0.3"
intermediary.port = 64347
observer.ip = "10.10.0.3"
security_result.category_details = "Owasp Category: A3"
security_result.rule_name = "Tunnel Module"
security_result.summary = "Information Leakage"
security_result.description = "Server Information Leakage"
security_result.action = "ALLOW_WITH_MODIFICATION"
security_result.severity = "LOW"
security_result.rule_id = "rule_id"
network.application_protocol = "HTTP"
network.http.method = "GET"
Parser Alerting¶
This product currently does not have any Parser-based Alerting