Skip to content

DenyAll Security

Description

Constructor : DenyAll

Device : Firewall

Log sample

1
2016-02-29 23:59:02.042882 +00,10.10.150.70,compute.fr1.tt.com,10.120.10.100,,,,jcl1/1.9.1 java/1.7.0_79,0,,,,,GET,/v2/d1bdcd924643413e80620328ddd7a1a2/images/29789ac0-9828-4c87-b3f4-0f1f242ab1c4,,HTTP/1.1,200,102740,1138,423,,,,bdba5182-5353-11e3-a83e-005056000092,22704,API Nova,VtTbRn8AAQEAAB1AokIAAABl,,

Normalized fields

Constructor field LMC field
TIMESTAMP [obs][ts]
HOST [init][host][name]
LOCALIP [init][host][ip]
HTTPXFORWARDEDFOR [DenyAll][HTTPXFORWARDEDFOR]
REMOTEIP [target][host][ip]
URLOPTION [target][uri][category]
REMOTEUSER [target][usr][name]
HTTPPROTOCOL [app][proto][name]
METHOD [app][method]
USERAGENT [init][useragent]
REFERER [app][header][referer]
COOKIE [session][cookie]
RESPONSETIME [session][duration]
UNIQUEID [session][id]
BYTESSENT [session][in][byte]
BYTESRECEIVED [session][out][byte]
VIA [DenyAll][VIA]
HTTPS [DenyAll][HTTPS]
SSLPROTOCOL [DenyAll][SSLPROTOCOL]
DN [DenyAll][DN]
CERTIFICATESTART [DenyAll][CERTIFICATESTART]
CERTIFICATEEND [DenyAll][CERTIFICATEEND]
HTTPRESPONSE [DenyAll][HTTPRESPONSE]
XCACHE [DenyAll][XCACHE]
GZRATIO [DenyAll][GZRATIO]
POSTDATA [DenyAll][POSTDATA]
APPLICATIONID [DenyAll][APPLICATIONID]

Device : Probe

Log format : RWebSecurity

Sample messages :

10.240.150.70 alert_dispatcher 136668 2016-02-23 11:52:01.574529 10.10.150.70 10.10.1.130 - 4.1.4.2 d1fe42d6-52ca-11e3-a0dc-005056000092 Vsw50X8AAQEAAHjrI1YAAABd 90001-0 90001-2 90001-3 90001-23 90001-25 90001-33 90001-50 9000 22222222-2222-2222-2222-222222222222 \'Attack blocked by scoringlist\' \'Custom Rule\'\"

Constructor field LMC field
rule   [rule][name]
obs_ip   [obs][host][ip]
app_name   [app][name]
instance   [denyall][instance]
other_ip   [denyall][other_ip]
unknown   [denyall][unknown]
unknown2   [denyall][unknown2]
alarm_id   [denyall][alarm_id]
session_ID2   [denyall][session_ID2]
alert   [denyall][alert]
session_ID   [session][id]
date   [obs][ts]
src_ip   [init][host][ip]
dst_ip   [target][host][ip]

Unit Test List:

unit_attack_block unit_evasion_attempt unit_injection unit_sql_injection unit_user_login