...
...
...
...
...
...
...
...
...
Table of Contents | ||||
---|---|---|---|---|
|
Introduction
The tags beginning with waf.signalsciences
identify events generated by Signal Sciences Web Application Firewall belonging to Signal Sciences.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed aswaf.signalsciences
. The and the third level identifies the type of events sent.
...
Technology
...
Brand
...
Type
...
Subtype
...
waf
...
signalsciences
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service |
---|
Tags | Data |
---|
tables | ||
---|---|---|
Signal Sciences Web Application Firewall |
|
|
How is the data sent to Devo?
Logs generated by Signal Sciences Web Application Firewall are forwarded to Devo using a proprietary Apache nifi collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.
Log samples
The following are sample logs sent to each of the waf.signalsciences data tables. Also, find how the information will be parsed in your data table under each sample log.
waf.signalsciences.request
Code Block |
---|
{"id": "6091b7869681fb00060be02c", "serverHostname": "trafik", "remoteIP": "11.190.238.229", "remoteHostname": "private network host", "remoteCountryCode": "", "userAgent": "xhall", "timestamp": "2021-05-04T21:07:18Z", "method": "GET", "serverName": "yep.co", "protocol": "HTTP/1.1", "tlsProtocol": "", "tlsCipher": "", "path": "/originations/api/loans", "uri": "/originations/api/loans", "scheme": "http", "headersIn": [["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]], "agentResponseCode": 200, "responseCode": 403, "responseSize": 405, "responseMillis": 53, "headersOut": [["Content-Encoding", "gzip"], ["Access-Control-Allow-Methods", "GET, POST, DELETE, PUT"], ["Content-Type", "text/html;charset=utf-8"], ["Date", "Tue, 04 May 2021 21:07:18 GMT"], ["Vary", "Accept-Encoding"], ["Access-Control-Allow-Credentials", "true"], ["Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-CommonBond, Content-Disposition"], ["Content-Length", "405"], ["Content-Language", "en"], ["Access-Control-Allow-Origin", "https://yeps.co"]], "summation": {"attrs": {"AllPreSignalsInformational": "false"}, "attacks": []}, "tags": [{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]} |
And this is how the log would be parsed:
...
Field
...
Value
...
Type
...
hostchain
...
localhost=127.0.0.1
...
str
...
hostname
...
localhost
...
str
...
tag
...
waf.signalsciences.request
...
str
...
id
...
6091b7869681fb00060be02c
...
str
...
serverHostname
...
trafik
...
str
...
remoteIP
...
1.2.3.1
...
ip4
...
remoteHostname
...
{"field1": "c", "field2": "789", "field3": "7.8.9.3", ...}
...
str
...
remoteCountryCode
...
...
str
...
userAgent
...
xhall
...
str
...
timestamp
...
2021-05-04 21:07:18.000
...
date
...
method
...
GET
...
str
...
serverName
...
yep.co
...
str
...
protocol
...
HTTP/1.1
...
str
...
tlsProtocol
...
...
str
...
tlsCipher
...
...
str
...
path
...
/originations/api/loans
...
str
...
uri
...
/originations/api/loans
...
str
...
scheme
...
http
...
str
...
headersIn
...
[["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]]
...
str
...
agentResponseCode
...
200
...
int4
...
responseCode
...
403
...
int4
...
responseSize
...
405
...
int4
...
responseMillis
...
53
...
int4
...
headersOut
...
Table structure
These are the fields displayed in this table:
waf.signalsciences.request
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
hostname |
| |
id |
| |
serverHostname |
| |
remoteIP |
| |
remoteHostname |
| |
remoteCountryCode |
| |
userAgent |
| |
timestamp |
| |
method |
| |
serverName |
| |
protocol |
| |
tlsProtocol |
| |
tlsCipher |
| |
path |
| |
uri |
| |
scheme |
| |
headersIn |
| |
agentResponseCode |
| |
responseCode |
| |
responseSize |
| |
responseMillis |
| |
headersOut |
| |
summation__attrs |
| |
summation__attrs__AllPreSignalsInformational |
false
| ||
summation__attrs__NetEffect |
| |
summation__attrs__country |
| |
summation__attrs__list |
| |
summation__attacks |
[]
str
| ||
tags |
| |
hostchain |
|
tags
[{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]
str
rawMessage
{"id": "6091b7869681fb00060be02c", "serverHostname": "trafik", "remoteIP": "11.190.238.229", "remoteHostname": "private network host", "remoteCountryCode": "", "userAgent": "xhall", "timestamp": "2021-05-04T21:07:18Z", "method": "GET", "serverName": "yep.co", "protocol": "HTTP/1.1", "tlsProtocol": "", "tlsCipher": "", "path": "/originations/api/loans", "uri": "/originations/api/loans", "scheme": "http", "headersIn": [["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]], "agentResponseCode": 200, "responseCode": 403, "responseSize": 405, "responseMillis": 53, "headersOut": [["Content-Encoding", "gzip"], ["Access-Control-Allow-Methods", "GET, POST, DELETE, PUT"], ["Content-Type", "text/html;charset=utf-8"], ["Date", "Tue, 04 May 2021 21:07:18 GMT"], ["Vary", "Accept-Encoding"], ["Access-Control-Allow-Credentials", "true"], ["Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-CommonBond, Content-Disposition"], ["Content-Length", "405"], ["Content-Language", "en"], ["Access-Control-Allow-Origin", "https://yeps.co"]], "summation": {"attrs": {"AllPreSignalsInformational": "false"}, "attacks": []}, "tags": [{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]}
✓ | ||
tag |
| ✓ |
rawMessage |
| ✓ |
How is the data sent to Devo?
Logs generated by Signal Sciences Web Application Firewall are forwarded to Devo using a proprietary Apache nifi collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.