DenyAll Security¶
Description¶
Constructor : DenyAll
Device : Firewall
Log sample¶
1 | 2016-02-29 23:59:02.042882 +00,10.10.150.70,compute.fr1.tt.com,10.120.10.100,,,,jcl1/1.9.1 java/1.7.0_79,0,,,,,GET,/v2/d1bdcd924643413e80620328ddd7a1a2/images/29789ac0-9828-4c87-b3f4-0f1f242ab1c4,,HTTP/1.1,200,102740,1138,423,,,,bdba5182-5353-11e3-a83e-005056000092,22704,API Nova,VtTbRn8AAQEAAB1AokIAAABl,, |
Normalized fields¶
Constructor field | LMC field |
---|---|
TIMESTAMP | [obs][ts] |
HOST | [init][host][name] |
LOCALIP | [init][host][ip] |
HTTPXFORWARDEDFOR | [DenyAll][HTTPXFORWARDEDFOR] |
REMOTEIP | [target][host][ip] |
URLOPTION | [target][uri][category] |
REMOTEUSER | [target][usr][name] |
HTTPPROTOCOL | [app][proto][name] |
METHOD | [app][method] |
USERAGENT | [init][useragent] |
REFERER | [app][header][referer] |
COOKIE | [session][cookie] |
RESPONSETIME | [session][duration] |
UNIQUEID | [session][id] |
BYTESSENT | [session][in][byte] |
BYTESRECEIVED | [session][out][byte] |
VIA | [DenyAll][VIA] |
HTTPS | [DenyAll][HTTPS] |
SSLPROTOCOL | [DenyAll][SSLPROTOCOL] |
DN | [DenyAll][DN] |
CERTIFICATESTART | [DenyAll][CERTIFICATESTART] |
CERTIFICATEEND | [DenyAll][CERTIFICATEEND] |
HTTPRESPONSE | [DenyAll][HTTPRESPONSE] |
XCACHE | [DenyAll][XCACHE] |
GZRATIO | [DenyAll][GZRATIO] |
POSTDATA | [DenyAll][POSTDATA] |
APPLICATIONID | [DenyAll][APPLICATIONID] |
Device : Probe¶
Log format : RWebSecurity¶
Sample messages :
10.240.150.70 alert_dispatcher 136668 2016-02-23 11:52:01.574529 10.10.150.70 10.10.1.130 - 4.1.4.2 d1fe42d6-52ca-11e3-a0dc-005056000092 Vsw50X8AAQEAAHjrI1YAAABd 90001-0 90001-2 90001-3 90001-23 90001-25 90001-33 90001-50 9000 22222222-2222-2222-2222-222222222222 \'Attack blocked by scoringlist\' \'Custom Rule\'\"
Constructor field | LMC field |
---|---|
rule | [rule][name] |
obs_ip | [obs][host][ip] |
app_name | [app][name] |
instance | [denyall][instance] |
other_ip | [denyall][other_ip] |
unknown | [denyall][unknown] |
unknown2 | [denyall][unknown2] |
alarm_id | [denyall][alarm_id] |
session_ID2 | [denyall][session_ID2] |
alert | [denyall][alert] |
session_ID | [session][id] |
date | [obs][ts] |
src_ip | [init][host][ip] |
dst_ip | [target][host][ip] |
Unit Test List:¶
unit_attack_block unit_evasion_attempt unit_injection unit_sql_injection unit_user_login