airpwn / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Several Barracuda Spam & Virus Firewall Issues #217

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
There are several issues with Barracuda S&VFW support in ELSA.

Here is an example of a log that is indexed:

Jul  2 10:53:23 192.168.0.1 inbound/pass1[8021]: fromuser@example.com[1.2.3.4] 
1404316403-0510bf1f5594b70001-nMGjtS 1404316403 1404316403 SCAN - 
fromuser@example.com touser@example.com - 2 74 example.com SZ:3327 SUBJ:Spammy 
Subject Line

However, it is not classified.

Here is an example of a log that is not indexed at all:

Jul  2 11:06:22 192.168.252.30 scan[16841]: 
nm21-vm4.bullet.mail.gq1.yahoo.com[98.136.217.51] 
1404317180-0510bf1f5594e30001-JKu0sW 1404317181 1404317182 SCAN ENC 
fromuser@example.com touser@example.com - 7 35 - SZ:3137 SUBJ:Lalalala

And of course it is not classified.

Here is an example of a log that parses properly with pdbtool, but is not 
indexed:

UNKNOWN[1.2.3.4] 1404312539-0510bf1f5593c60001-nyON8p 1404312539 1404312540 
SCAN ENC fromuser@example.com touser@example.com 0.001 0 0 - SZ:30774 SUBJ:RE: 
lalala

Finally, Barracuda is not listed as a class in the drop down, nor are any of 
those that do get indexed classified properly.

Most concerning is not necessarily the classification issues--those can be 
fixed, but that some logs don't make it into ELSA at all.

What version of the product are you using? On what operating system?
Sphinx  Sphinx 2.2.4-id64-dev (r4740)
Date     2014-06-10 17:05:27 -0500 (Tue, 10 Jun 2014)
Author   mcholste
Rev  1204

Using the latest Barracuda firmware at the time of this writing.

Original issue reported on code.google.com by lib...@gmail.com on 2 Jul 2014 at 4:19

GoogleCodeExporter commented 9 years ago
I found that I had to manually run some MYSQL statements to get them to show 
up. They are at least parsing now, although it looks like there may still be 
some errors. I'll update the ticket after I check things out some more.

Original comment by lib...@gmail.com on 3 Jul 2014 at 9:14

GoogleCodeExporter commented 9 years ago
OK, I have made significant progress. Is anyone out there? lol

I rewrote the Barracuda parser from the ground up, based on the excellent 
Barracuda Spam & Virus Firewall Version 5.x Syslog Guide, along with real-world 
logs. Everything validates properly.

Another problem was that the SQL statements I found from the mailing list to 
enable the class in the database had incorrect class IDs:

Bad:
INSERT INTO classes (id, class, parent_id) VALUES(26, "BARRACUDA_SCAN", 0); 
INSERT INTO classes (id, class, parent_id) VALUES(27, "BARRACUDA_RECV", 0); 
INSERT INTO classes (id, class, parent_id) VALUES(28, "BARRACUDA_SEND", 0);

Good:
INSERT INTO classes (id, class, parent_id) VALUES(27, "BARRACUDA_SCAN", 0); 
INSERT INTO classes (id, class, parent_id) VALUES(28, "BARRACUDA_RECV", 0); 
INSERT INTO classes (id, class, parent_id) VALUES(29, "BARRACUDA_SEND", 0);

I dropped those rows and fixed that.

I'm going to give it a few days to see what pops in unclassified, then update 
the parsers as needed. Of course, if you want them I am happy to share.

Original comment by lib...@gmail.com on 9 Jul 2014 at 12:12