Web Security Gateway (WSG)
The Barracuda Web Security Gateway is a proxy server that blocks malware. The rule summarizes into user tags the proxy action, the subject address, and the reason for the action.
Incoming log format
The logs are fixed-format space-separated fields (values only).
|Tagged||Tag Name||Field Name||Example||Description|
|Epoch Time||1158710827||Seconds since 1970, UNIX timestamp.|
||Src IP||184.108.40.206||IP address of the client (source).|
||Dest IP||220.127.116.11(18.104.22.168)||IP address for the page (destination) that was blocked by the Barracuda Web Security Gateway.|
|Content Type||text/html||HTTP header designated content type.|
|Src IP||22.214.171.124||IP address of the (source).|
|Destination URL||http://www.sex.com||The URL the client tried to visit.|
|Data Size||2704||The size of the content.|
||Action||BYF ALLOWED||Action performed by the transparent proxy. "BYF" is a static string.|
||Reason||CLEAN||Reason for the action|
|Details||Stream=>Eicar-Test-Signature FOUND||(only for blocked traffic:) the name of the virus or spyware that was detected|
|Format Version||2||The version of the policy engine output.|
|Match flag||1||Whether an existing policy matched the traffic. (1 Yes, 0 No)|
|TQ flag||0||Whether the rule is time-qualified. For example, during work hours 9am - 5pm. (1 Yes, 0 No)|
|Action Type||1||The action performed by the policy engine on this request|
|Src Type||3||If matched by source, what its type is|
|Src Detail||-||Any detail related to the matched source.|
|Dst Type||1||If matched by destination, what its type is|
|Dst Detail||adult||Detail of the matched destination (such as the first matched category)|
|Spy Type||0||If it is a spyware hit, what its type is|
||Spy ID||-||The name of the spyware if matched due to spyware hit.|
|Infection Score||0||Weight of the infection. Currently, mostly 0.|
||Matched Part||sex.com||The part of the rule that matched.|
||Matched Category||adult,porn||The policy category that matched the traffic.|
|☑||User Info||User Info||ANON||User information|
|Referer URL||http://www.purple.com/purple.html||If enabled, displays URL of Referer. If disabled, displays a dash '–'|
|Referer Domain||purple.com||If enabled, displays domain of Referer. If disabled, displays a dash '–' .|
||Referer Category||news, adult, hosted-personal-pages||If enabled, displays the category to which the Referer domain belongs. If disabled, displays a dash '–'.|
|WSA Remote User Type||1||Indicates whether traffic comes from a Barracuda WSA client (Windows or Macintosh) or is local traffic.|
This indicates what action the proxy server took to respond to the http request. Possibilities are:
- ALLOWED: Traffic was processed by the transparent proxy and no virus or spyware was detected.
- BLOCKED: Traffic was blocked by the transparent proxy most likely because the proxy detected virus or spyware.
- DETECTED: Another process detected outbound spyware activity.
This is the reason that the aforementioned action was taken (for the request). Possible values are:
- CLEAN: Traffic does not contain any virus or spyware.
- VIRUS: Traffic was blocked because it contains a virus.
- SPYWARE: Traffic was blocked because it contains spyware.
This indicates the action performed by the policy engine for the request:
|3||rewritten by add/set a new parameter in query|
|4||rewritten by deleting an existing parameter in query|
|5||matched a rule and allowed but marked as monitored|
|6||branched to another rule set.|
If this value is matched by source its type is:
|0||always, matches any source|
|1||group, matched by group id|
|2||IPv4addr, matched by an IPv4 address|
|3||login, matched by login|
|4||login any, matched any authenticated user|
|5||min_score, matched due to minimum infection threshold breached.|
If this value is matched by destination its type is:
|0||always, matched any destination|
|1||category, matched a particular category|
|2||category any, matched any category|
|3||domain, matched due to domain or subdomain|
|4||mimetype, matched due to mime-type|
|5||spyware hit, matched due to spyware hit|
|6||URI path regex, matched URI path|
|7||URI regex, matched any part of the URI|
|8||application, matches an application characteristics|
If the request is a spyware hit its type is:
User information is one of the following:
- ANON: Anonymous, unauthenticated users
- ldap: Username: LDAP user info
- username: Non-LDAP user info (users created in the admin interface).
Example 1. Clean, policy-allowed traffic
The following example shows a log message for clean traffic from a Barracuda WSA client going to an allowed website (cnn.com). The term “clean” represents traffic that does not contain viruses or spyware.
Example 2: Virus-infected traffic blocked by the Barracuda Web Security Gateway
The following example shows inline traffic that has been blocked by the Barracuda Web Security Gateway because the traffic contains a known virus.
Example 3: Inline traffic showing simple content
1480360415 1 126.96.36.199 188.8.131.52 - 184.108.40.206 https://self-repair.mozilla.org/ 7652 BYF ALLOWED CLEAN 2 0 0 0 0 (-) 0 - 0 - 0 self-repair.mozilla.org computing-technology,CUSTOM-142556317732606,CUSTOM-1425889735316,CUSTOM-1425890081323,CUSTOM-1425890385330,CUSTOM-1425890704337,CUSTOM-1425890996342 \[email@example.com\] https://self-repair.mozilla.org - - 0