Barracuda Web Site Firewall User Manual

Barracuda Syslog

Barracuda Web Site Firewall

Overview

There are four types of logs generated by the Barracuda Web Site Firewall which can be configured
to be sent over the syslog mechanism to a remote server specified by the Barracuda Web Site
Firewall administrator. These logs are also resident on the Barracuda Web Site Firewall in a log
database and are visible on the GUI under various tabs and can be exported in CSV format to
external files. This document describes each element of such syslog messages to help the
administrator analyze the events and understand the activity performed by the Barracuda Web Site
Firewall for each traffic request. The document also helps in understanding the formats so that the
information can be utilized in a better way through external parsers or other agents which can be run
on the syslog messages sent from the Barracuda Web Site Firewall starting with version 7.0.x of the
firmware.

The following four types of events are explained briefly below. These logs are logged at different
facilities to help manage them well on the external syslog server that they get transferred to.

System Events: These are the events generated by the system and show the general activity of the
system. These logs are logged at LOCAL0 facility and at various priority levels depending on the
content of the message.

Web Firewall Logs: These are the events which indicate the web firewall activity in terms of allowing,
blocking or modifying the incoming requests and responses as defined in the Barracuda Web Site
Firewall rules and policies. These logs are logged at LOCAL1 facility and at various priorities based
on the action taken.

Access Logs: These events pertain to the traffic activity and log various elements of the incoming
HTTP request and the responses from the backend servers. These are logged at LOCAL2 facility at
the priority level INFO.

Audit Logs: These events pertain to the auditing events generated by the system which log the
configuration and UI activity by users like admin. These are logged at LOCAL3 facility and at the
priority level INFO.

If you have any questions after reading this document, please call us at 408-342-5400 or email us at

support@barracuda.com

.

Enabling Syslog

To enable exporting of logs to a remote syslog server, navigate to the Advanced > Export Logs
page. Remote syslog server for System Events is specified under System Logs in the web GUI.
Enter the IP address of the syslog server to which you wish to direct the messages. Remote syslog
server for the application logs (i.e. Web Firewall, Access and Audit logs) is specified under
Application logs. If you are running syslog on a UNIX machine, be sure to start the syslog daemon
process with the “-r” option so that it can receive messages from sources other than itself. Windows
users have to install a separate program to utilize the syslog since the Windows OS doesn’t include
the syslog capability. Kiwi Syslog is a popular solution, but there are many others to choose from,
both free and commercial.

Page 1

Barracuda Syslog

Barracuda Web Site Firewall

The syslog messages are sent over UDP to the standard syslog port of 514. If there are any firewalls
between the Barracuda Web Site Firewall and the server receiving the syslog messages, then be
sure that port 514 is open on the firewalls. The syslog messages arrive on various facilities depending
on the log type and various priority levels based on the severity of the log. These facilities and levels
are not configurable and are decided by the Barracuda Web Site Firewall. For information on how to
manage these logs please see the documentation available for your syslog server.

The following sections describe the formats of the logs and elements sent over in each type of the
event generated by the Barracuda Web Site Firewall. Please be aware that the various syslog
implementations may not display the messages in this exact format. However, the sections should
still be present in the syslog lines.

System Events

These events get logged at LOCAL0 facility. The log format for the events generated by the
Barracuda Web Site Firewall system is as follows:

• Module name

• Message

Example:

STM: COOKIE-5 00000 SetSapIpsCookieServicePolicy = 0

Detailed Description

The following table describes each element of a system log:

Field Name Example Description

Module Name STM

COOKIE-5 00000

Message

SetSapIpsCookieServicePolicy
= 0

Denotes the name of the module that generated the logs.

For example: STM, SAPD, LB, etc.

Denotes the log message for the event that occurred.

Web Firewall Logs (Logged at LOCAL1 facility)

All the actions/events on the web firewall are logged under Web Firewall Logs. These logs help the
administrator to analyze the traffic for suspicious activity and also fine tune the web firewall policies.

Navigate to the BASIC > Web Firewall Logs page to view the generated log messages stored in a
database on the Barracuda Web Site Firewall. This log data is obtained from the log database on the
Barracuda Web Site Firewall itself. As noted above, the external syslog server IP for these logs is
specified under Advanced > Export Logs > Application Logs. Over syslog, every log in the
Barracuda Web Site Firewall is logged under LOCAL1 facility and has a level associated with it, which

Page 2

Barracuda Syslog

Barracuda Web Site Firewall

indicates the severity of the logs. An administrator can configure what level of logs should be
recorded for each service by editing the service under the Basic > Services page.

The log format for Web Firewall Logs is as follows:

• Timestamp

• Severity

• Attack Name

• Client IP

• Client Port

• Application IP

• Application Port

• Rule ID (ACL)

• Rule Name

• Action Taken

• Follow-up Action

• Attack Detail

• Method

• URL

Example:

1225613275.270 ALER SLASH_DOT_IN_URL 192.168.128.11 44273 192.168.132.164 80 default
GLOBAL LOG NONE “[]” GET 192.168.132.164/.init

Detailed Description

The following table describes each element of a web firewall log:

Field Name Example Description

Timestamp 1225613275.270

Severity ALER Defines the seriousness of the attack.

Attack Name SLASH_DOT_IN_URL The name of the attack triggered by the traffic.

Client IP 192.168.128.11 The IP address of the client sending the request.

Client Port 44273 The port relevant to the client IP address.

Application IP 192.168.132.164 The IP address of the application that receives the traffic.

The time recorded in UTC format as number of seconds
since 1970.

Page 3

Barracuda Syslog

Barracuda Web Site Firewall

Field Name Example Description

Application Port 80 The port relevant to the application IP address.

Rule ID (ACL) default The rule configured for the application in the ACL.

Rule Name GLOBAL

Action Taken LOG

Follow-up Action NONE

Attack Detail [] Provides the attack details.

Method GET The request method of the traffic.

URL 192.168.132.164/.init The URL of the request.

Specifies if the log is from a GLOBAL policy or a URL ACL
or a profile.

The appropriate action applied on the traffic.

Deny denotes that the traffic is denied.
LOG denotes monitoring of the traffic with the assigned rule.
Warning warns about the traffic.

The follow-up action as specified by the action policy. It
could be either “None” or “Locked” in case the lockout is
chosen.

Attack Names

The following is the list of Attack Names arranged as per Attack Groups:

Event
ID

Attack Name Description Severity Attack

Type

29012 INVALID_URL_CHAR

SET

29145 BRUTE_FORCE_FRO

M_IP

29146 BRUTE_FORCE_FRO

M_ALL_SOURCES

Advanced Policy Violations

The request contained the character that is not valid
in the character set. To determine the character set
of the request, the Barracuda Web Application
Controller relies on several configuration elements
like Default Character Set, Detect Response
Charset, Response Charset.

The number of accesses to the resource by the
client IP exceeded the number defined in the
bruteforce prevention policy for this application.

The cumulative number of accesses to the resource
by all the sources exceeded the number defined in
the bruteforce prevention policy for this application.

Warning Attack

obfuscation

Alert DOS attack

Alert DOS attack

Page 4

Event
ID

Barracuda Syslog

Barracuda Web Site Firewall

Attack Name Description Severity Attack

Type

Application Profile Violations

29130 NO_DOMAIN_MATCH

_IN_PROFILE

29131 NO_URL_PROFILE_

MATCH

29007 HEADER_META_VIO

LATION

29035 CUSTOM_ATTACK_P

ATTERN_IN_HEADE
R

29036 SQL_INJECTION_IN_

HEADERSQL

29037 CROSS_SITE_SCRIP

TING_IN_HEADER

The request sent by the browser corresponds to a
domain which is not found in the application profile.

The request sent by the browser contained an URL
for which, a matching URL Profile is not found in the
application profile.

Header Violations

The header contained a metacharacter which is part
of the Denied Metacharacters configured in the
Header ACL for this application.

The header contained an attack pattern that
matched an attack pattern configured as a part of
Custom Blocked Attack Types for this header in the
Header ACL.

The header contained SQL injection attack which
matched an attack pattern configured as a Blocked
Attack Types for this header in the Header ACL.

The header contained cross-site scripting attack
which matched an attack pattern configured as a
Blocked Attack Types for this header in the Header
ACL.

Alert Forceful

browsing

Alert Forceful

browsing

Alert Command

injection

Alert Command

injection

Alert SQL injection

Alert Cross-site

scripting

29038 OS_CMD_INJECTION

_IN_PARAM

29039 DIRECTORY_TRAVE

RSAL_IN_HEADER

29134 READ_ONLY_PARAM

_TAMPERED

The header contained OS command injection attack
which matched an attack pattern configured as a
Blocked Attack Types for this header in the Header
ACL.

The header contained directory traversal attack
which matched an attack pattern configured as a
Blocked Attack Types for this header in the Header
ACL.

Param Profile Violations

The read-only parameter had a value, which was
different from what was learned by Barracuda Web
Application Controller based on the form that was
sent to the browser.

Alert Command

injection

Alert Directory

traversal

Alert Form

tampering

Page 5

Event
ID

29135 SESSION_INVARIAN

Attack Name Description Severity Attack

T_PARAM_TAMPERE
D

Barracuda Syslog

Barracuda Web Site Firewall

The session-invariant parameter had a value, which
was different from what was learned by Barracuda
Web Application Controller based on the form that
was sent to the browser for this session.

Type

Alert Form

tampering

29136 SESSION_CHOICE_P

ARAM_TAMPERED

29137 TOO_MANY_PARAM

_INSTANCES

29138 MISSING_MANDATO

RY_PARAM

29139 PARAM_VAL_NOT_A

LLOWED

29150 FILE_EXTENSION_N

OT_ALLOWED

29151 FILE_UPLOAD_SIZE_

EXCEEDED

29152 METACHARACTER_I

N_PARAMETER

The session choice parameter had a value, which
was different from what was learned by Barracuda
Web Application Controller based on the form that
was sent to the browser for this session.

The URL sent by the browser contained more
instances of the parameter than what is learned to
be allowed in the Parameter Profile.

The URL sent by the browser contained no
instances of the parameter, which is learned to be
mandatory in the Parameter Profile.

The Global Choice parameter had a value, which is
different from the values configured for this
parameter in the Parameter Profile.

The extension of the filename of a file-upload
parameter does not match any one of the
configured File Upload Extensions for the parameter
profile.

The size of the file-upload parameter is greater than
the maximum configured value in the Default
Parameter Protection.

The parameter contained a metacharacter, which
matched an attack pattern configured as a
Parameter Class in the parameter profile.

Alert Form

tampering

Alert Form

tampering

Alert Form

tampering

Alert Form

tampering

Alert Form

tampering

Alert Form

tampering

Alert Command

injection

29154 PARAM_NAME_LEN

GTH_EXCEEDED

29155 CUSTOM_ATTACK_P

ATTERN_IN_PARAM

29156 PARAM_INPUT_VALI

DATION_FAILED

29157 SQL_INJECTION_IN_

PARAM

The length of the parameter exceeded the Max
Length configured in the parameter profile.

The parameter contained custom attack pattern,
which matched an attack pattern configured as a
Parameter Class in the parameter profile.

The parameter does not match the input type
validation configured in the Parameter Profile.

The parameter contained SQL injection pattern,
which matched an attack pattern configured as a
Parameter Class in the parameter profile.

Alert Buffer

overflow

Alert Command

injection

Alert Form

tampering

Alert SQL injection

Page 6