Closed PricklyPotato closed 9 months ago
Le abri un caso a Splunk, pero me han contestado con esta respuesta:
Case #3361565 SC4S fails to parse Radware WAF AppWall data
Hello Team,
I appreciate your patience.
After doing more research, I'm thinking of adding Radware Web Application Firewall to the list of approved vendors in the SC4S product itself. After I bring up this issue internally with our SC4S Development team, they would examine the supplied traces and logs and would help to create a filter to support this vendor in upcoming SC4S release.
This problem would be regarded as an enhancement request, and our SC4S Engineering team would have to handle it. Therefore, in order to resolve this issue, I would ask that you open a new enhancement case on the Github Portal. We are unable to create Github tickets on Github due to protocol.
I'm going to share with you the SC4S Git URL so you can open a new ticket under the Issues page.
Adjunto el los archivos pcap.
Hi @PricklyPotato , Splunk Connect for Syslog doesn't support OLF 6 – Open Log Format.
Please change source configuration to syslog: https://support.radware.com/app/answers/answer_view/a_id/1030935/~/appwall%3A-how-to-check-in-syslog-message-what-action-was-taken-on-the-detected
And then please send us your new pcap file
Closing this issue due to lack of activity for the past 10 days
What is the sc4s version ? sc4s version=2.49.8 Is there a pcap available? si What the vendor name? Radware What's the product name? WAF - Vision
Feature Request description Pues necesito que los datos se manden parseados a splunk. actualmente me llegan en este formato:
_PRI=13 MESSAGE=OLF6 appwall 2.1 date="11/27/2023 17:27:53 +00" et=System sev=error subj="SSL Protocol Violation" evtid=1701106073-18 hostname=waf01 hostip=172.20.10.194 module=Comm_SubSys devtype="Stand Alone Gateway" cmip=172.20.10.194 msg="failed to perform TLS/SSL handshake, the client IP is 192.241.219.52:50956, the client had requested SSL/TLS version TLS 1.0 that is not supported by AppWall, the AppWall supports TLS 1.2, the technical info: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol" host = 172.20.10.194sc4sloghost = SC4SBSTsource = sc4ssourcetype = sc4s:fallback
Should it support TCP or UDP? UDP Do you want to have it for local usage or prepare a github PR? Pues lo suyo en uso local, pero mira si lo sacamos para gitub PR va ser mejor para todos.