Skip to content

Latest commit

 

History

History
37 lines (35 loc) · 4.13 KB

pC_smwgproxy3denied.md

File metadata and controls

37 lines (35 loc) · 4.13 KB
Raw

Parser Content

{
Name = s-mwg-proxy-3-denied
    Vendor = McAfee
    Product = McAfee Web Gateway
    Lms = Splunk
    DataType = "web-activity"
    IsHVF = true
    TimeFormat = "dd/MMM/yyyy:HH:mm:ss Z"
    Conditions = [ """mwg: Acces Denied [""" ]
    Fields = [
      """exabeam_host=({host}[^\s]{1,2000})""",
      """\s{1,100}({host}[^\s]{1,2000})\s{1,100}mwg:""",
      """({failure_reason}Acces Denied)""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[({time}[^\]]{1,2000})\]""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}".*?"\s{1,100}"(?:|-|({user}[^"]{1,2000}))"""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}(".*?"\s{1,100}){2}({src_ip}[^\s]{1,2000})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}(".*?"\s{1,100}){2}[^\s]{1,2000}\s{1,100}({dest_ip}[^\s]{1,2000})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"(?:"|-"|({web_domain}[^\s"]{1,2000})")""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}({result_code}\d{1,100})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}({bytes_out}\d{1,100})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}({bytes_in}\d{1,100})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"({method}[^\s]{1,2000})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"\w+\s{1,100}(?:({protocol}\w+):\/+)?""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"\w+\s{1,100}(\w+:\/+)?[^\/:]{1,2000}:({dest_port}\d{1,100})""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"\w+\s{1,100}({full_url}\S+)""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"\w+\s{1,100}(\w+:\/+)?[^\/:]{1,2000}(:\d{1,100})?({uri_path}\/.*?)(\?|\s{1,100}[^\s]{1,2000}")""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}"\w+\s{1,100}(\w+:\/+)?[^\/:]{1,2000}(:\d{1,100})?\/[^?]{1,2000}({uri_query}\?.*?)\s{1,100}[^\s]{1,2000}"""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}("[^"]{0,2000}?"\s{1,100}){3}\d{1,100}\s{1,100}"(?:-|({category}[^,"]{1,2000}))"""
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}("[^"]{0,2000}?"\s{1,100}){3}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"(?:-|({action}[^"]{1,2000}))"""",
      """mwg:\s{1,100}Acces Denied\s{1,100}\[.+?\]\s{1,100}("[^"]{0,2000}?"\s{1,100}){2}([^\s]{1,2000}\s{1,100}){2}"[^"]{0,2000}?"\s{1,100}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\d{1,100}\s{1,100}){2}("[^"]{0,2000}?"\s{1,100}){3}\d{1,100}\s{1,100}"[^"]{0,2000}?"\s{1,100}(\w+\s{1,100}"[^"]{0,2000}?"\s{1,100}){3}("[^"]{0,2000}?"\s{1,100}){2}"(?:|-|({user_agent}[^"]{1,2000}?)\s{0,100})("|$)"""
    ]
  

}