Skip to content

Web Security Gateway (WSG)

Rule Function

The Barracuda Web Security Gateway is a proxy server that blocks malware. The rule summarizes into user tags the proxy action, the subject address, and the reason for the action.

Vendor Documentation

Syslog and the Barracuda Web Security Gateway

Incoming log format

The logs are fixed-format space-separated fields (values only).

User Tags

Tagged Tag Name Field Name Example Description
Epoch Time 1158710827 Seconds since 1970, UNIX timestamp.
SrcIP Src IP 11.22.33.44 IP address of the client (source).
DstIP Dest IP 11.22.33.44(55.66.77.88) IP address for the page (destination) that was blocked by the Barracuda Web Security Gateway.
Content Type text/html HTTP header designated content type.
Src IP 11.22.33.44 IP address of the (source).
Destination URL http://www.sex.com The URL the client tried to visit.
Data Size 2704 The size of the content.
Action Action BYF ALLOWED Action performed by the transparent proxy. "BYF" is a static string.
Reason Reason CLEAN Reason for the action
Details Stream=>Eicar-Test-Signature FOUND (only for blocked traffic:) the name of the virus or spyware that was detected
Format Version 2 The version of the policy engine output.
Match flag 1 Whether an existing policy matched the traffic. (1 Yes, 0 No)
TQ flag 0 Whether the rule is time-qualified. For example, during work hours 9am - 5pm. (1 Yes, 0 No)
Action Type 1 The action performed by the policy engine on this request
Src Type 3 If matched by source, what its type is
Src Detail - Any detail related to the matched source.
Dst Type 1 If matched by destination, what its type is
Dst Detail adult Detail of the matched destination (such as the first matched category)
Spy Type 0 If it is a spyware hit, what its type is
Spy ID Spy ID - The name of the spyware if matched due to spyware hit.
Infection Score 0 Weight of the infection. Currently, mostly 0.
Match Part Matched Part sex.com The part of the rule that matched.
Match Category Matched Category adult,porn The policy category that matched the traffic.
User Info User Info ANON User information
Referer URL http://www.purple.com/purple.html If enabled, displays URL of Referer. If disabled, displays a dash '–'
Referer Domain purple.com If enabled, displays domain of Referer. If disabled, displays a dash '–' .
Referer Category Referer Category news, adult, hosted-personal-pages If enabled, displays the category to which the Referer domain belongs. If disabled, displays a dash '–'.
WSA Remote User Type 1 Indicates whether traffic comes from a Barracuda WSA client (Windows or Macintosh) or is local traffic.

Field Notes

Action

This indicates what action the proxy server took to respond to the http request. Possibilities are:

  • ALLOWED: Traffic was processed by the transparent proxy and no virus or spyware was detected.
  • BLOCKED: Traffic was blocked by the transparent proxy most likely because the proxy detected virus or spyware.
  • DETECTED: Another process detected outbound spyware activity.

Reason

This is the reason that the aforementioned action was taken (for the request). Possible values are:

  • CLEAN: Traffic does not contain any virus or spyware.
  • VIRUS: Traffic was blocked because it contains a virus.
  • SPYWARE: Traffic was blocked because it contains spyware.

Action Type

This indicates the action performed by the policy engine for the request:

Value Meaning
0 allowed
1 denied
2 redirected
3 rewritten by add/set a new parameter in query
4 rewritten by deleting an existing parameter in query
5 matched a rule and allowed but marked as monitored
6 branched to another rule set.

Src Type

If this value is matched by source its type is:

Value Type
0 always, matches any source
1 group, matched by group id
2 IPv4addr, matched by an IPv4 address
3 login, matched by login
4 login any, matched any authenticated user
5 min_score, matched due to minimum infection threshold breached.

Dst Type

If this value is matched by destination its type is:

Value Type
0 always, matched any destination
1 category, matched a particular category
2 category any, matched any category
3 domain, matched due to domain or subdomain
4 mimetype, matched due to mime-type
5 spyware hit, matched due to spyware hit
6 URI path regex, matched URI path
7 URI regex, matched any part of the URI
8 application, matches an application characteristics

Spy Type

If the request is a spyware hit its type is:

Value Type
0 allow
1 block
2 infection

User Information

User information is one of the following:

  • ANON: Anonymous, unauthenticated users
  • ldap: Username: LDAP user info
  • username: Non-LDAP user info (users created in the admin interface).

HC Tags

  • SrcIP
  • DstIP

Log Examples

Example 1. Clean, policy-allowed traffic
The following example shows a log message for clean traffic from a Barracuda WSA client going to an allowed website (cnn.com). The term “clean” represents traffic that does not contain viruses or spyware.

1158710819 1 11.22.33.44 55.66.77.88 image/gif 10.1.1.8 http://i.cnn.net/cnn/.element/img/1.3/video/tab.middle.on.gif 1744 BYF ALLOWED CLEAN 2 0 0 0 0 - 0 - 0 - 0 cnn.net news ANON http://www.cnn.com www.cnn.com news 1

Example 2: Virus-infected traffic blocked by the Barracuda Web Security Gateway
The following example shows inline traffic that has been blocked by the Barracuda Web Security Gateway because the traffic contains a known virus.

1158710880 1 11.22.33.44 127.0.0.1 - 11.22.33.44 http://www.eicar.org/download/eicar.com.txt 0 BYF BLOCKED VIRUS stream=>Eicar-Test-Signature FOUND 2 0 0 0 0 - 0 - 0 - 0 eicar.org computing-technology ANON http://www.somedomain.com/index.html somedomain.com news 0

Example 3: Inline traffic showing simple content

1480360415 1 11.22.33.44 55.66.77.88 - 11.22.33.44 https://self-repair.mozilla.org/ 7652 BYF ALLOWED CLEAN 2 0 0 0 0 (-) 0 - 0 - 0 self-repair.mozilla.org computing-technology,CUSTOM-142556317732606,CUSTOM-1425889735316,CUSTOM-1425890081323,CUSTOM-1425890385330,CUSTOM-1425890704337,CUSTOM-1425890996342 \[[email protected]\] https://self-repair.mozilla.org - - 0