Qualys Web Application Firewall

• What is Discovered and Monitored
• Event Types
• Rules
• Reports
• Configuration
• Settings for Access Credentials
• Example Syslog

What is Discovered and Monitored

Protocol	Information discovered	Metrics/Logs collected	Used for
Syslog		Permitted and Denied Web traffic	Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

• Qualys-WAF-Web-Request-Success

• Qualys-WAF-Web-Bad-Request

• Qualys-WAF-Web-Client-Access-Denied

• Qualys-WAF-Web-Client-Error

• Qualys-WAF-Web-Forbidden-Access-Denied

• Qualys-WAF-Web-Length-Reqd-Access-Denied

• Qualys-WAF-Web-Request

• Qualys-WAF-Web-Request-Redirect

• Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in RESOURCES > Reports > Device > Network > Web Gateway.

Configuration

FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting	Value
Name	<set name>
Device Type	Qualys Web Application Firewall
Access Protocol	See Access Credentials
Port	See Access Credentials
Password config	See Password Configuration

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF - {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05c-eda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43be-af71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection":{"id":"bc1379fe-317e-4bae-ae30-2a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serverPort"

:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"esers-test.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;

q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"Content-Type","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://esers-test.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response":{"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers":[{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"Content-Length","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-2649-4a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags":["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applicationSecurity"],

"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3","message":"Condition escaping detected (SQL or XPATH injection) - txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",

"message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",

"message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags":["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule":

"main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}