Versions Compared

Old Version 1

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 2

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
typeflat

...

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as waf.signalsciences. The third level identifies the type of events sent. 

Technology

Brand

Type

Subtype

waf

signalsciences

request

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

waf.signalsciences.requestwaf.signalsciences.request

How is the data sent to Devo?

Logs generated by Signal Sciences Web Application Firewall are forwarded to Devo using a proprietary Apache nifi collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process

Log samples

The following are sample logs sent to each of the waf.signalsciences data tables. Also, find how the information will be parsed in your data table under each sample log.

waf.signalsciences.request

...

.

...

And this is how the log would be parsed:

...

Field

...

Value

...

Type

...

hostchain

...

localhost=127.0.0.1

...

str

...

hostname

...

localhost

...

str

...

tag

...

waf.signalsciences.request

...

str

...

id

...

6091b7869681fb00060be02c

...

str

...

serverHostname

...

trafik

...

str

...

remoteIP

...

1.2.3.1

...

ip4

...

remoteHostname

...

{"field1": "c", "field2": "789", "field3": "7.8.9.3", ...}

...

str

...

remoteCountryCode

...

 

...

str

...

userAgent

...

xhall

...

str

...

timestamp

...

2021-05-04 21:07:18.000

...

date

...

method

...

GET

...

str

...

serverName

...

yep.co

...

str

...

protocol

...

HTTP/1.1

...

str

...

tlsProtocol

...

 

...

str

...

tlsCipher

...

 

...

str

...

path

...

/originations/api/loans

...

str

...

uri

...

/originations/api/loans

...

str

...

scheme

...

http

...

str

...

headersIn

...

[["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]]

...

str

...

agentResponseCode

...

200

...

int4

...

responseCode

...

403

...

int4

...

responseSize

...

405

...

int4

...

responseMillis

...

53

...

int4

...

headersOut

...

[["Content-Encoding", "gzip"], ["Access-Control-Allow-Methods", "GET, POST, DELETE, PUT"], ["Content-Type", "text/html;charset=utf-8"], ["Date", "Tue, 04 May 2021 21:07:18 GMT"], ["Vary", "Accept-Encoding"], ["Access-Control-Allow-Credentials", "true"], ["Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-CommonBond, Content-Disposition"], ["Content-Length", "405"], ["Content-Language", "en"], ["Access-Control-Allow-Origin", "https://yeps.co"]]

...

str

...

summation__attrs__AllPreSignalsInformational

...

false

...

str

...

summation__attacks

...

[]

...

str

...

tags

...

[{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]

...

str

...

rawMessage

...

{"id": "6091b7869681fb00060be02c", "serverHostname": "trafik", "remoteIP": "11.190.238.229", "remoteHostname": "private network host", "remoteCountryCode": "", "userAgent": "xhall", "timestamp": "2021-05-04T21:07:18Z", "method": "GET", "serverName": "yep.co", "protocol": "HTTP/1.1", "tlsProtocol": "", "tlsCipher": "", "path": "/originations/api/loans", "uri": "/originations/api/loans", "scheme": "http", "headersIn": [["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]], "agentResponseCode": 200, "responseCode": 403, "responseSize": 405, "responseMillis": 53, "headersOut": [["Content-Encoding", "gzip"], ["Access-Control-Allow-Methods", "GET, POST, DELETE, PUT"], ["Content-Type", "text/html;charset=utf-8"], ["Date", "Tue, 04 May 2021 21:07:18 GMT"], ["Vary", "Accept-Encoding"], ["Access-Control-Allow-Credentials", "true"], ["Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-CommonBond, Content-Disposition"], ["Content-Length", "405"], ["Content-Language", "en"], ["Access-Control-Allow-Origin", "https://yeps.co"]], "summation": {"attrs": {"AllPreSignalsInformational": "false"}, "attacks": []}, "tags": [{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]}

...