fix: fix Barracuda WAF app_parser (#2115)

* fix: Fix app-syslog-barracuda_waf.conf * docs: Update documentation after fixing parser for Barracuda WAF * docs: Update documentation after fixing parser for Barracuda WAF * chore: update test samples, product name and filter for Barracuda WAF * fix: exclude prefix flag due to failing tests * fix: remove flags ignore-case due to failing tests
splunk · Jul 31, 2023 · 04e531a · 04e531a
1 parent cc272b8
commit 04e531a
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 23 deletions.
diff --git a/docs/sources/vendor/Barracuda/waf_on_prem.md b/docs/sources/vendor/Barracuda/waf_on_prem.md
@@ -1,26 +1,34 @@
-# WAF (On Premises)
+# Barracuda WAF (On Premises)
 
 ## Key facts
 
-* RFC 3164 Framed
-* Default port 514
+* RFC 5424 Framed with non-standard ISO timestamp: `%Y-%m-%d %H:%M:%S.%f %z`
+* MSG Format based filter
 
 
 ## Links
 
 | Ref            | Link                                                                                                    |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| Splunk Add-on  | None                                                               |
-| Product Manual | None |
+| Splunk Add-on  | https://splunkbase.splunk.com/app/3776                                                               |
+| Product Manual | https://campus.barracuda.com/product/webapplicationfirewall/doc/92767349/exporting-log-formats/ |
 
 ## Sourcetypes
 
 | sourcetype      | notes                                                                                                   |
 |-----------------|---------------------------------------------------------------------------------------------------------|
-|barracuda:waf   |  none  |
+|barracuda:system   |  program("SYS")  |
+|barracuda:waf   |  program("WF")  |
+|barracuda:web   |  program("TR")  |
+|barracuda:audit   |  program("AUDIT")  |
+|barracuda:firewall   |  program("NF")  |
 
 ## Sourcetype and Index Configuration
 
 | key    | sourcetype     | index  | notes          |
 |--------|----------------|--------|----------------|
+| barracuda_system       |  barracuda:system  | netwaf  | None     |
 | barracuda_waf       |  barracuda:waf  | netwaf  | None     |
+| barracuda_web       |  barracuda:web  | netwaf  | None     |
+| barracuda_audit       |  barracuda:audit  | netwaf  | None     |
+| barracuda_firewall       |  barracuda:firewall  | netwaf  | None     |
diff --git a/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-barracuda_waf.conf b/package/etc/conf.d/conflib/almost-syslog/app-almost-syslog-barracuda_waf.conf
@@ -0,0 +1,22 @@
+block parser app-almost-syslog-barracuda_waf() {
+    channel {
+        parser {
+            regexp-parser(
+                prefix(".tmp.")
+                patterns('^(?<pri>\<\d+\>)(?: *)(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3} (\+|-)\d{4})\s{1,2}(?<host>[^ ]+) (?<log_type>(SYS|WF|TR|AUDIT|NF)) (?<message>.*)')
+            );
+            date-parser(
+                format('%Y-%m-%d %H:%M:%S.%f %z')
+                template("${.tmp.timestamp}")
+            );
+            syslog-parser(
+                flags(assume-utf8, guess-timezone)
+                template("${.tmp.pri} $S_ISODATE ${.tmp.host} ${.tmp.log_type} ${.tmp.message}")
+            );
+        };
+    };
+};
+
+application app-almost-syslog-barracuda_waf[sc4s-almost-syslog] {
+    parser { app-almost-syslog-barracuda_waf(); };
+};
diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-barracuda_waf.conf b/package/etc/conf.d/conflib/syslog/app-syslog-barracuda_waf.conf
@@ -3,16 +3,54 @@ block parser app-syslog-barracuda_waf() {
         rewrite {
             r_set_splunk_dest_default(
                 index("netwaf")
-                sourcetype('barracuda:waf')
                 vendor("barracuda")
-                product("syslog")
+                product("waf")
+                sourcetype('barracuda:syslog')
             )
         };
+
+        if (program('SYS')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('barracuda:system')
+                );
+            };
+        } elif (program('WF')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('barracuda:waf')
+                );
+            };   
+        } elif (program('TR')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('barracuda:web')
+                );
+            };   
+        } elif (program('AUDIT')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('barracuda:audit')
+                );
+            };   
+        } elif (program('NF')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('barracuda:firewall')
+                );
+            };   
+        };
     };
 };
-application app-syslog-barracuda_waf[sc4s-syslog] {
+
+
+application app-syslog-barracuda_waf[sc4s-syslog-pgm] {
     filter {
-        program('waf-den'  type(string)  flags(prefix));
+        program('SYS' type(string))
+        or program('WF' type(string))
+        or program('TR' type(string))
+        or program('AUDIT' type(string))
+        or program('NF' type(string))
     };	
     parser { app-syslog-barracuda_waf(); };
 };
diff --git a/tests/test_barracuda_waf.py b/tests/test_barracuda_waf.py
@@ -1,39 +1,75 @@
-# Copyright 2019 Splunk, Inc.
+# Copyright 2023 Splunk, Inc.
 #
 # Use of this source code is governed by a BSD-2-clause-style
 # license that can be found in the LICENSE-BSD2 file or at
 # https://opensource.org/licenses/BSD-2-Clause
 
+import re
+
 from jinja2 import Environment
 
 from .sendmessage import *
 from .splunkutils import *
 from .timeutils import *
 
+import pytest
+
+# Log examples based on https://campus.barracuda.com/product/webapplicationfirewall/doc/92767349/exporting-log-formats/
+test_data = [
+    {
+        "template": "{{ mark }}{{ iso }}  {{ host }} {{ log_type }} ADMIN_M ALER 51001 Account has been locked for user User because the number of consecutive log-in failures exceeded the maximum allowed",
+        "log_type": "SYS",
+        "sourcetype": "barracuda:system",
+        "index": "netwaf"
+    },
+    {
+        "template": "{{ mark }}{{ iso }}  {{ host }} {{ log_type }} ALER PRE_1_0_REQUEST 1.1.1.1 34006 1.1.1.2 80 global GLOBAL LOG NONE [POST /index.cgi] POST 1.1.1.2/index.cgi HTTP REQ-0+RES-0 “Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0”  1.1.1.117 34005 User http://1.1.1.2/index.cgi",
+        "log_type": "WF",
+        "sourcetype": "barracuda:waf",
+        "index": "netwaf"
+    },
+    {
+        "template": "{{ mark }}{{ iso }}  {{ host }} {{ log_type }} 1001::1:1 80 1001::1 43740 \"-\" \"-\" GET HTTP 1001::1:1 HTTP/1.1 200 2837 232 0 1008 1001::1 80 10 REQ-0+RES-0   SERVER DEFAULT PASSIVE VALID /index.html name=user http://1001::1:1/index.cgi namdksih=azkdz \"Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0\" 1001::117 43740 User gzip,deflate 1001::128 keep-alive",
+        "log_type": "TR",
+        "sourcetype": "barracuda:web",
+        "index": "netwaf"
+    },
+    {
+        "template": "{{ mark }}{{ iso }}  {{ host }} {{ log_type }} User GUI 1.1.1.121 24784 CONFIG 166 config SET virtual_ip_config_address 99.99.130.45 virtual_ip_config_interface \"\" \"WAN\" []",
+        "log_type": "AUDIT",
+        "sourcetype": "barracuda:audit",
+        "index": "netwaf"
+    },
+    {
+        "template": "{{ mark }}{{ iso }}  {{ host }} {{ log_type }} INFO TCP 1.1.1.117 52676 1.1.1.2 80 ALLOW testacl MGMT/LAN/WAN interface traffic:allow",
+        "log_type": "NF",
+        "sourcetype": "barracuda:firewall",
+        "index": "netwaf"
+    }
+]
+
 env = Environment()
 
-def test_netapp_test_audit_event(
-        record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s
+@pytest.mark.parametrize("test_case", test_data)
+def test_barracuda_waf(
+        record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, test_case
 ):
-    event = '{{ mark }}{{ bsd }} -0600  waf-den TR {{ host }} 123 10.0.0.0 5000 "-" "-" GET TLSv1.2 fws.gov HTTP/1.1 200 1000 725 SERVER DEFAULT UNPROTECTED VALID /themes/custom/fws_gov/favicon.ico 10.0.0.0 50000 50'
-
     host = get_host_key
 
     dt = datetime.datetime.now(datetime.timezone.utc)
-    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
-
-    # Tune time functions
-    epoch = epoch[:-7]
+    iso = dt.astimezone().isoformat(sep=" ", timespec="milliseconds")                 # '2023-07-19 11:45:48.819+00:00'
+    vendor_iso_format = re.sub(r'(.+)([+-])(\d{2}):(\d{2})$', r'\1 \2\3\4', iso)      # '2023-07-19 11:45:48.819 +0000'
 
-    mt = env.from_string(event + "\n")
-    message = mt.render(mark="<134>", bsd=bsd, host=host)
+    mt = env.from_string(test_case["template"] + "\n")
+    message = mt.render(mark="<134>", iso=vendor_iso_format, host=host, log_type=test_case["log_type"])
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
+    epoch = dt.astimezone().strftime("%s.%f")[:-3]
     st = env.from_string(
-        'search index=netwaf _time={{ epoch }} sourcetype="barracuda:waf" {{ host }}'
+        'search index={{ index }} _time={{ epoch }} sourcetype={{ source_type }} host={{ host }}'
     )
-    search = st.render(epoch=epoch, host=host)
+    search = st.render(index=test_case["index"], epoch=epoch, source_type=test_case["sourcetype"], host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)