Skip to content

Radware WAF

radware

About

Radware’s Web Application Firewall, ensures fast, reliable and secure delivery of mission-critical Web applications and APIs for corporate networks and in the cloud.

Product Details

Vendor URL: www.radware.com

Product Type: Web Application Firewall

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: Syslog

Expected Normalization Rate: 100%

Data Label: RADWARE_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
transId metadata.product_log_id
title metadata.description
host target.url
host target.hostname
host target.ip
host target.asset.ip
destinationPort target.port
uri target.file.full_path
violationType security_result.description
violationCategory security_result.summary
targetModule security_result.rule_name
tunnel security_result.rule_id
owaspCategory2017 security_result.category_details
protocol network.application_protocol
request network.http.method
User-Agent network.http.user_agent
X-RDWR-PORT principal.port
X-RDWR-IP principal.ip
X-RDWR-IP principal.asset.ip
sourceIp observer.ip
sourcePort intermediary.port

Product Event Types

eventType UDM Event Classification
ALL NETWORK_HTTP

Log Sample

- [AppWallAttackSysLogMessage action="Modified" appPath="/robots.txt" appWallTimeStamp="1656047623839" awVersion="7.6.15.10" destinationIp="10.10.0.2" destinationPort="54011" devType="Cluster Gateway Node" directory="/" enrichmentContainer="{owaspCategory=null,geoLocation={countryCode=--},owaspCategory2017=A3,contractId=aaaa-bbbb-1111-2222,applicationId=aaaa-bbbb-1111-2222,tenant=aaaa-bbbb-1111-2222}" externalIp="10.10.0.1" host="www.domain.com" method="N/A" module="Tunnel Module" passive="true" protocol="HTTP" receivedTimeStamp="1656047637909" request="GET /robots.txt HTTP/1.1
Accept-Encoding: gzip
Host: www.domainname.com
X-RDWR-IP: 10.10.0.1
X-RDWR-PORT: 39776
X-RDWR-PORT-MM-ORIG-FE-PORT: 443
X-RDWR-PORT-MM: 443
User-Agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
From: support@search.domain.ru
Accept: */*
ShieldSquare-Response: 0

" role="public" security="true" severity="Low" sourceIp="10.10.0.3" sourcePort="64347" targetModule="Tunnel Module" title="Empty response page returned to the web user" transId="aaaabbbb" tunnel="rule_id" uri="/robots.txt" user="public" vhost="<any host>" violationCategory="Information Leakage" violationType="Server Information Leakage" webApp="Web Applications - All"]

Sample Parsing

metadata.product_log_id = "aaaabbbb"
metadata.event_timestamp = "2022-06-24T05:13:57.909Z"
metadata.event_type = "NETWORK_HTTP"
metadata.description = "Empty response page returned to the web user"
principal.ip = "10.10.0.1"
principal.port = 39776
principal.asset.ip = "10.10.0.1"
target.hostname = "www.domain.com"
target.ip = "10.10.0.2"
target.port = 54011
target.url = "www.domain.com"
target.file.full_path = "/robots.txt"
target.asset.hostname = "www.domain.com"
target.asset.ip = "10.10.0.2"
intermediary.ip = "10.10.0.3"
intermediary.port = 64347
observer.ip = "10.10.0.3"
security_result.category_details = "Owasp Category: A3"
security_result.rule_name = "Tunnel Module"
security_result.summary = "Information Leakage"
security_result.description = "Server Information Leakage"
security_result.action = "ALLOW_WITH_MODIFICATION"
security_result.severity = "LOW"
security_result.rule_id = "rule_id"
network.application_protocol = "HTTP"
network.http.method = "GET"

Parser Alerting

This product currently does not have any Parser-based Alerting