Barracuda
LogZilla App Store application: Barracuda
Overview
The Barracuda Web Security Gateway is a web security appliance that provides advanced threat protection for organizations. It functions as a web proxy server that inspects HTTP and HTTPS traffic, blocking malware, viruses, spyware, and malicious websites while enforcing web usage policies. The gateway offers real-time content filtering, application control, and data loss prevention capabilities to protect networks from web-based threats and ensure compliance with organizational security policies.
App Function
The Barracuda app summarizes the proxy action, subject address, and reason for the action into user tags.
Vendor Documentation
Incoming Log Format
Barracuda logs use a fixed-format with space-separated fields (values only).
Parsed Metadata Fields
| Tagged | Tag Name | Field Name | Example | Description |
|---|---|---|---|---|
| Epoch Time | 1158710827 | Seconds since 1970, UNIX timestamp. | ||
| ☑ | SrcIP | Src IP | 11.22.33.44 | IP address of the client (source). |
| ☑ | DstIP | Dest IP | 11.22.33.44(55.66.77.88) | IP address for the page (destination) that was blocked by the Barracuda Web Security Gateway. |
| Content Type | text/html | HTTP header designated content type. | ||
| Src IP | 11.22.33.44 | IP address of the (source). | ||
| Destination URL | http://www.xxx.com | The URL the client tried to visit. | ||
| Data Size | 2704 | The size of the content. | ||
| ☑ | Action | Action | BYF ALLOWED | Action performed by the transparent proxy. "BYF" is a static string. |
| ☑ | Reason | Reason | CLEAN | Reason for the action |
| Details | Stream=>Eicar-Test-Signature FOUND | (only for blocked traffic:) the name of the virus or spyware that was detected | ||
| Format Version | 2 | The version of the policy engine output. | ||
| Match flag | 1 | Whether an existing policy matched the traffic. (1 Yes, 0 No) | ||
| TQ flag | 0 | Whether the rule is time-qualified. For example, during work hours 9am - 5pm. (1 Yes, 0 No) | ||
| Action Type | 1 | The action performed by the policy engine on this request | ||
| Src Type | 3 | If matched by source, what its type is | ||
| Src Detail | - | Any detail related to the matched source. | ||
| Dst Type | 1 | If matched by destination, what its type is | ||
| Dst Detail | adult | Detail of the matched destination (such as the first matched category) | ||
| Spy Type | 0 | If it is a spyware hit, what its type is | ||
| ☑ | Spy ID | Spy ID | - | The name of the spyware if matched due to spyware hit. |
| Infection Score | 0 | Weight of the infection. Currently, mostly 0. | ||
| ☑ | Match Part | Matched Part | sex.com | The part of the rule that matched. |
| ☑ | Match Category | Matched Category | adult,porn | The policy category that matched the traffic. |
| ☑ | User Info | User Info | ANON | User information |
| Referer URL | http://www.purple.com/purple.html | If enabled, displays URL of Referer. If disabled, displays a dash '–' | ||
| Referer Domain | purple.com | If enabled, displays domain of Referer. If disabled, displays a dash '–' . | ||
| ☑ | Referer Category | Referer Category | news, adult, hosted-personal-pages | If enabled, displays the category to which the Referer domain belongs. If disabled, displays a dash '–'. |
| WSA Remote User Type | 1 | Indicates whether traffic comes from a Barracuda WSA client (Windows or Macintosh) or is local traffic. |
Field Notes
Action
This indicates the action the proxy server took in response to the HTTP request. Possible values are:
- ALLOWED: Traffic was processed by the transparent proxy and no virus or spyware was detected.
- BLOCKED: Traffic was blocked by the transparent proxy because the proxy detected virus or spyware.
- DETECTED: Another process detected outbound spyware activity.
Reason
This is the reason the action was taken for the request. Possible values are:
- CLEAN: Traffic does not contain any virus or spyware.
- VIRUS: Traffic was blocked because it contains a virus.
- SPYWARE: Traffic was blocked because it contains spyware.
Action Type
This indicates the action performed by the policy engine for the request:
| Value | Meaning |
|---|---|
| 0 | allowed |
| 1 | denied |
| 2 | redirected |
| 3 | rewritten by add/set a new parameter in query |
| 4 | rewritten by deleting an existing parameter in query |
| 5 | matched a rule and allowed but marked as monitored |
| 6 | branched to another rule set. |
Src Type
If this value is matched by source its type is:
| Value | Type |
|---|---|
| 0 | always, matches any source |
| 1 | group, matched by group id |
| 2 | IPv4addr, matched by an IPv4 address |
| 3 | login, matched by login |
| 4 | login any, matched any authenticated user |
| 5 | min_score, matched due to minimum infection threshold breached. |
Dst Type
If this value is matched by destination its type is:
| Value | Type |
|---|---|
| 0 | always, matched any destination |
| 1 | category, matched a particular category |
| 2 | category any, matched any category |
| 3 | domain, matched due to domain or subdomain |
| 4 | mimetype, matched due to mime-type |
| 5 | spyware hit, matched due to spyware hit |
| 6 | URI path regex, matched URI path |
| 7 | URI regex, matched any part of the URI |
| 8 | application, matches an application characteristics |
Spy Type
If the request is a spyware hit its type is:
| Value | Type |
|---|---|
| 0 | allow |
| 1 | block |
| 2 | infection |
User Information
User information is one of the following:
- ANON: Anonymous, unauthenticated users
- ldap: Username: LDAP user info
- username: Non-LDAP user info (users created in the admin interface).
High-Cardinality (HC) Tags
SrcIPDstIP
Log Examples
Example 1: Clean, Policy-Allowed Traffic
The following example shows a log message for clean traffic from a Barracuda WSA client going to an allowed website (cnn.com). The term "clean" represents traffic that does not contain viruses or spyware.
text1158710819 1 11.22.33.44 55.66.77.88 image/gif 10.1.1.8 http://i.cnn.net/cnn/.element/img/1.3/video/tab.middle.on.gif 1744 BYF ALLOWED CLEAN 2 0 0 0 0 - 0 - 0 - 0 cnn.net news ANON http://www.cnn.com www.cnn.com news 1
Example 2: Virus-Infected Traffic Blocked
The following example shows inline traffic that has been blocked by the Barracuda Web Security Gateway because the traffic contains a known virus.
text1158710880 1 11.22.33.44 127.0.0.1 - 11.22.33.44 http://www.eicar.org/download/eicar.com.txt 0 BYF BLOCKED VIRUS stream=>Eicar-Test-Signature FOUND 2 0 0 0 0 - 0 - 0 - 0 eicar.org computing-technology ANON http://www.somedomain.com/index.html somedomain.com news 0
Example 3: Inline Traffic Showing Simple Content
text1480360415 1 11.22.33.44 55.66.77.88 - 11.22.33.44 https://self-repair.mozilla.org/ 7652 BYF ALLOWED CLEAN 2 0 0 0 0 (-) 0 - 0 - 0 self-repair.mozilla.org computing-technology,CUSTOM-142556317732606,CUSTOM-1425889735316,CUSTOM-1425890081323,CUSTOM-1425890385330,CUSTOM-1425890704337,CUSTOM-1425890996342 \[[email protected]\] https://self-repair.mozilla.org - - 0