Help
FortiSIEM Discussions
HugoPinto
Contributor

Created on ‎10-08-2020 08:34 AM

Fortiweb Parser v2

I share some improvements that we have made on the parser for fortiweb.

Cheers,
Hugo Pinto
Claranet
1336
0 Kudos
3 REPLIES 3
DanielHanman
Staff
Staff

Created on ‎10-13-2020 02:09 AM

Thanks Hugo.

Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

Thanks again.

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Oct 08, 2020 08:33 AM
From: Hugo Pinto
Subject: Fortiweb Parser v2

I share some improvements that we have made on the parser for fortiweb.

Cheers,
Hugo Pinto
Claranet
1336
0 Kudos
HugoPinto
Contributor
In response to DanielHanman

Created on ‎10-13-2020 02:55 AM

Hi Daniel,

Yes, we have added this eventattributes to be recognized:

attrKeyMap attr="resourcePool" key="server_pool_name"
attrKeyMap attr="user" key="user_name"
attrKeyMap attr="httpReferrer" key="http_refer"
attrKeyMap attr="httpVersion" key="http_version"
attrKeyMap attr="signatureSubclass" key="signature_subclass"

The HttpReferrer gives some information that URI Steam don't the raw:

<189>date=2020-10-07 time=14:49:23 log_id=30000000 msg_id=004530004486 device_id=xxxxxxxxxxxxxx vd="root" timezone="(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London" type=traffic subtype="http" pri=notice proto=tcp service=https status=success reason=none policy=xxxxxxxxxxxx src=xxxxxxxxxxxxxx src_port=52989 dst=xxxxxxxxxxxx dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=1690 http_response_bytes=51670 http_method=get http_url="/xxxxxxxxxxxxxxxxxxxx/login" http_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxxxxxxxxxxxxxx Safari/537.36" http_retcode=200 msg="HTTPS get request from xxxxxxxxxxxxxx :52989 to xxxxxxxxxxxxxxxx :443" srccountry="Portugal" content_switch_name="xxxxxxxxxxxxxxxxxxxxx " server_pool_name="xxxxxxxxxx"http_host="xxxxxxxxxxxxx" user_name="Unknown" http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions" http_version="1.x"

The URI Steam gives: http_url="/xxxxxxxxxxxxxxxxxxxx/login" but a more detailed message on http refer:

server_pool_name="xxxxxxxxxx"
http_host="xxxxxxxxxxxxx"
user_name="Unknown"
http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions"
http_version="1.x"

Cheers,
HP-------------------------------------------
Original Message:
Sent: Oct 13, 2020 02:08 AM
From: Daniel Hanman
Subject: Fortiweb Parser v2

Thanks Hugo.

Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

Thanks again.

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

Original Message:
Sent: Oct 08, 2020 08:33 AM
From: Hugo Pinto
Subject: Fortiweb Parser v2

I share some improvements that we have made on the parser for fortiweb.

Cheers,
Hugo Pinto
Claranet
1336
0 Kudos
HenryHernandez
Staff
Staff
In response to HugoPinto

Created on ‎10-14-2020 06:56 AM

Here's a list of fields I found useful and can be added to the default FWB parser:

<!-- NewFields -->

<attrKeyMap attr=" subtype" key="sub_type"/>

<attrKeyMap attr="action" key="action"/>

<attrKeyMap attr="signature_subclass" key="signature_subclass"/>

<attrKeyMap attr="vulnCVEId" key="signature_cve_id"/>

<attrKeyMap attr="poolName" key="server_pool_name"/>

<attrKeyMap attr="user" key="user_name"/>

<attrKeyMap attr="httpReferrer" key="http_refer"/>

<attrKeyMap attr="httpVersion" key="http_version"/>

<attrKeyMap attr="device" key="dev_id"/>

<attrKeyMap attr="threatScore" key="threat_weight"/>

<attrKeyMap attr="historyThreatWeight" key="history_threat_weight"/>

<attrKeyMap attr="ftpMode" key="ftp_mode"/>

<attrKeyMap attr="ftpCmd" key="ftp_cmd"/>

<attrKeyMap attr="owaspTop10" key="owasp_top10"/>

<attrKeyMap attr="attackInfo" key="matched_pattern"/>

<attrKeyMap attr="botinfo" key="bot_info"/>

 

 

-- 

Henry Hernandez | signature_757727461
Regional Consulting Security Engineer| Enhanced Technologies - ATP |

North America East, MSSP, & Federal
FORTINET- Fast. Secure. Global.
E: hhernandez@fortinet.com | T: +1.305.725.5237

NSE Certified: Level 7

signature_1668617481

signature_1175699032


*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***


-------------------------------------------
Original Message:
Sent: 10/13/2020 5:55:00 AM
From: Hugo
Subject: RE: Fortiweb Parser v2

Hi Daniel,

Yes, we have added this eventattributes to be recognized:

attrKeyMap attr="resourcePool" key="server_pool_name"
attrKeyMap attr="user" key="user_name"
attrKeyMap attr="httpReferrer" key="http_refer"
attrKeyMap attr="httpVersion" key="http_version"
attrKeyMap attr="signatureSubclass" key="signature_subclass"

The HttpReferrer gives some information that URI Steam don't the raw:

<189>date=2020-10-07 time=14:49:23 log_id=30000000 msg_id=004530004486 device_id=xxxxxxxxxxxxxx vd="root" timezone="(GMT)Greenwich Mean Time: Dublin,Edinburgh,Lisbon,London" type=traffic subtype="http" pri=notice proto=tcp service=https status=success reason=none policy=xxxxxxxxxxxx src=xxxxxxxxxxxxxx src_port=52989 dst=xxxxxxxxxxxx dst_port=443 http_request_time=0 http_response_time=0 http_request_bytes=1690 http_response_bytes=51670 http_method=get http_url="/xxxxxxxxxxxxxxxxxxxx/login" http_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxxxxxxxxxxxxxx Safari/537.36" http_retcode=200 msg="HTTPS get request from xxxxxxxxxxxxxx :52989 to xxxxxxxxxxxxxxxx :443" srccountry="Portugal" content_switch_name="xxxxxxxxxxxxxxxxxxxxx " server_pool_name="xxxxxxxxxx"http_host="xxxxxxxxxxxxx" user_name="Unknown" http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions" http_version="1.x"

The URI Steam gives: http_url="/xxxxxxxxxxxxxxxxxxxx/login" but a more detailed message on http refer:

server_pool_name="xxxxxxxxxx"
http_host="xxxxxxxxxxxxx"
user_name="Unknown"
http_refer="https://xxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxx/transactions"
http_version="1.x"

Cheers,
HP-------------------------------------------
Original Message:
Sent: Oct 13, 2020 02:08 AM
From: Daniel Hanman
Subject: Fortiweb Parser v2

Thanks Hugo.

Have you got details on what you changed and a sample event? I can then look to add this into FortiSIEM.

Thanks again.

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

Original Message:
Sent: Oct 08, 2020 08:33 AM
From: Hugo Pinto
Subject: Fortiweb Parser v2

I share some improvements that we have made on the parser for fortiweb.

Cheers,
Hugo Pinto
Claranet
1336
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.