DenyAll Security¶
Description¶
Constructor : DenyAll
Device : Firewall
Log sample¶
1 | 2016-02-29 23:59:02.042882 +00,10.10.150.70,compute.fr1.tt.com,10.120.10.100,,,,jcl1/1.9.1 java/1.7.0_79,0,,,,,GET,/v2/d1bdcd924643413e80620328ddd7a1a2/images/29789ac0-9828-4c87-b3f4-0f1f242ab1c4,,HTTP/1.1,200,102740,1138,423,,,,bdba5182-5353-11e3-a83e-005056000092,22704,API Nova,VtTbRn8AAQEAAB1AokIAAABl,, |
Normalized fields¶
| Constructor field | LMC field |
|---|---|
| TIMESTAMP | [obs][ts] |
| HOST | [init][host][name] |
| LOCALIP | [init][host][ip] |
| HTTPXFORWARDEDFOR | [DenyAll][HTTPXFORWARDEDFOR] |
| REMOTEIP | [target][host][ip] |
| URLOPTION | [target][uri][category] |
| REMOTEUSER | [target][usr][name] |
| HTTPPROTOCOL | [app][proto][name] |
| METHOD | [app][method] |
| USERAGENT | [init][useragent] |
| REFERER | [app][header][referer] |
| COOKIE | [session][cookie] |
| RESPONSETIME | [session][duration] |
| UNIQUEID | [session][id] |
| BYTESSENT | [session][in][byte] |
| BYTESRECEIVED | [session][out][byte] |
| VIA | [DenyAll][VIA] |
| HTTPS | [DenyAll][HTTPS] |
| SSLPROTOCOL | [DenyAll][SSLPROTOCOL] |
| DN | [DenyAll][DN] |
| CERTIFICATESTART | [DenyAll][CERTIFICATESTART] |
| CERTIFICATEEND | [DenyAll][CERTIFICATEEND] |
| HTTPRESPONSE | [DenyAll][HTTPRESPONSE] |
| XCACHE | [DenyAll][XCACHE] |
| GZRATIO | [DenyAll][GZRATIO] |
| POSTDATA | [DenyAll][POSTDATA] |
| APPLICATIONID | [DenyAll][APPLICATIONID] |
Device : Probe¶
Log format : RWebSecurity¶
Sample messages :
10.240.150.70 alert_dispatcher 136668 2016-02-23 11:52:01.574529 10.10.150.70 10.10.1.130 - 4.1.4.2 d1fe42d6-52ca-11e3-a0dc-005056000092 Vsw50X8AAQEAAHjrI1YAAABd 90001-0 90001-2 90001-3 90001-23 90001-25 90001-33 90001-50 9000 22222222-2222-2222-2222-222222222222 \'Attack blocked by scoringlist\' \'Custom Rule\'\"
| Constructor field | LMC field |
|---|---|
| rule | [rule][name] |
| obs_ip | [obs][host][ip] |
| app_name | [app][name] |
| instance | [denyall][instance] |
| other_ip | [denyall][other_ip] |
| unknown | [denyall][unknown] |
| unknown2 | [denyall][unknown2] |
| alarm_id | [denyall][alarm_id] |
| session_ID2 | [denyall][session_ID2] |
| alert | [denyall][alert] |
| session_ID | [session][id] |
| date | [obs][ts] |
| src_ip | [init][host][ip] |
| dst_ip | [target][host][ip] |
Unit Test List:¶
unit_attack_block unit_evasion_attempt unit_injection unit_sql_injection unit_user_login