Skip to main content
HugoPinto
HugoPinto
Visitor III
October 8, 2020
Question

Fortiweb Parser v2

  • October 8, 2020
  • 1 reply
  • 2025 views
I share some improvements that we have made on the parser for fortiweb.

Cheers,
Hugo Pinto
Claranet

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    October 13, 2020
    Thanks Hugo.

    Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

    Thanks again.

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Oct 08, 2020 08:33 AM
    From: Hugo Pinto
    Subject: Fortiweb Parser v2

    I share some improvements that we have made on the parser for fortiweb.

    Cheers,
    Hugo Pinto
    Claranet
    HugoPinto
    HugoPintoAuthor
    Visitor III
    October 13, 2020
    Hi Daniel,

    Yes, we have added this eventattributes to be recognized:

    attrKeyMap attr="resourcePool" key="server_pool_name"
    attrKeyMap attr="user" key="user_name"
    attrKeyMap attr="httpReferrer" key="http_refer"
    attrKeyMap attr="httpVersion" key="http_version"
    attrKeyMap attr="signatureSubclass" key="signature_subclass"

    The HttpReferrer gives some information that URI Steam don't the raw:

    <189>date=2020-10-07 time=14:49:23 log_id=30000000 msg_id=004530004486 device_id=xxxxxxxxxxxxxx vd="root" timezone="(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London" type=traffic subtype="http" pri=notice proto=tcp service=https status=success reason=none policy=xxxxxxxxxxxx src=xxxxxxxxxxxxxx src_port=52989 dst=xxxxxxxxxxxx dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=1690 http_response_bytes=51670 http_method=get http_url="/xxxxxxxxxxxxxxxxxxxx/login" http_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxxxxxxxxxxxxxx Safari/537.36" http_retcode=200 msg="HTTPS get request from xxxxxxxxxxxxxx :52989 to xxxxxxxxxxxxxxxx :443" srccountry="Portugal" content_switch_name="xxxxxxxxxxxxxxxxxxxxx " server_pool_name="xxxxxxxxxx"http_host="xxxxxxxxxxxxx" user_name="Unknown" http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions" http_version="1.x"

    The URI Steam gives: http_url="/xxxxxxxxxxxxxxxxxxxx/login" but a more detailed message on http refer:

    server_pool_name="xxxxxxxxxx"
    http_host="xxxxxxxxxxxxx"
    user_name="Unknown"
    http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions"
    http_version="1.x"

    Cheers,
    HP-------------------------------------------
    Original Message:
    Sent: Oct 13, 2020 02:08 AM
    From: Daniel Hanman
    Subject: Fortiweb Parser v2

    Thanks Hugo.

    Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

    Thanks again.

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------

    Original Message:
    Sent: Oct 08, 2020 08:33 AM
    From: Hugo Pinto
    Subject: Fortiweb Parser v2

    I share some improvements that we have made on the parser for fortiweb.

    Cheers,
    Hugo Pinto
    Claranet
    A
    Anonymous_User
    New Contributor III
    October 14, 2020

    Here's a list of fields I found useful and can be added to the default FWB parser:

    <!-- NewFields -->

    <attrKeyMap attr=" subtype" key="sub_type"/>

    <attrKeyMap attr="action" key="action"/>

    <attrKeyMap attr="signature_subclass" key="signature_subclass"/>

    <attrKeyMap attr="vulnCVEId" key="signature_cve_id"/>

    <attrKeyMap attr="poolName" key="server_pool_name"/>

    <attrKeyMap attr="user" key="user_name"/>

    <attrKeyMap attr="httpReferrer" key="http_refer"/>

    <attrKeyMap attr="httpVersion" key="http_version"/>

    <attrKeyMap attr="device" key="dev_id"/>

    <attrKeyMap attr="threatScore" key="threat_weight"/>

    <attrKeyMap attr="historyThreatWeight" key="history_threat_weight"/>

    <attrKeyMap attr="ftpMode" key="ftp_mode"/>

    <attrKeyMap attr="ftpCmd" key="ftp_cmd"/>

    <attrKeyMap attr="owaspTop10" key="owasp_top10"/>

    <attrKeyMap attr="attackInfo" key="matched_pattern"/>

    <attrKeyMap attr="botinfo" key="bot_info"/>

     

     

    -- 

    Henry Hernandez | signature_757727461
    Regional Consulting Security Engineer| Enhanced Technologies - ATP |

    North America East, MSSP, & Federal
    FORTINET- Fast. Secure. Global.
    E: hhernandez@fortinet.com | T: +1.305.725.5237

    NSE Certified: Level 7

    signature_1668617481

    signature_1175699032


    *** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***


    -------------------------------------------
    Original Message:
    Sent: 10/13/2020 5:55:00 AM
    From: Hugo
    Subject: RE: Fortiweb Parser v2

    Hi Daniel,

    Yes, we have added this eventattributes to be recognized:

    attrKeyMap attr="resourcePool" key="server_pool_name"
    attrKeyMap attr="user" key="user_name"
    attrKeyMap attr="httpReferrer" key="http_refer"
    attrKeyMap attr="httpVersion" key="http_version"
    attrKeyMap attr="signatureSubclass" key="signature_subclass"

    The HttpReferrer gives some information that URI Steam don't the raw:

    <189>date=2020-10-07 time=14:49:23 log_id=30000000 msg_id=004530004486 device_id=xxxxxxxxxxxxxx vd="root" timezone="(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London" type=traffic subtype="http" pri=notice proto=tcp service=https status=success reason=none policy=xxxxxxxxxxxx src=xxxxxxxxxxxxxx src_port=52989 dst=xxxxxxxxxxxx dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=1690 http_response_bytes=51670 http_method=get http_url="/xxxxxxxxxxxxxxxxxxxx/login" http_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxxxxxxxxxxxxxx Safari/537.36" http_retcode=200 msg="HTTPS get request from xxxxxxxxxxxxxx :52989 to xxxxxxxxxxxxxxxx :443" srccountry="Portugal" content_switch_name="xxxxxxxxxxxxxxxxxxxxx " server_pool_name="xxxxxxxxxx"http_host="xxxxxxxxxxxxx" user_name="Unknown" http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions" http_version="1.x"

    The URI Steam gives: http_url="/xxxxxxxxxxxxxxxxxxxx/login" but a more detailed message on http refer:

    server_pool_name="xxxxxxxxxx"
    http_host="xxxxxxxxxxxxx"
    user_name="Unknown"
    http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions"
    http_version="1.x"

    Cheers,
    HP-------------------------------------------
    Original Message:
    Sent: Oct 13, 2020 02:08 AM
    From: Daniel Hanman
    Subject: Fortiweb Parser v2

    Thanks Hugo.

    Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

    Thanks again.

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------

    Original Message:
    Sent: Oct 08, 2020 08:33 AM
    From: Hugo Pinto
    Subject: Fortiweb Parser v2

    I share some improvements that we have made on the parser for fortiweb.

    Cheers,
    Hugo Pinto
    Claranet
    Terms & ConditionsAccessibility statement