Barracuda WAF: Add new integration

.github/CODEOWNERS

@@ -29,6 +29,7 @@
 /packages/azure_metrics @elastic/obs-cloud-monitoring
 /packages/barracuda @elastic/security-external-integrations
 /packages/barracuda_cloudgen_firewall @elastic/security-external-integrations
+/packages/barracuda_waf @elastic/security-external-integrations
 /packages/beat @elastic/infra-monitoring-ui
 /packages/bluecoat @elastic/security-external-integrations
 /packages/box_events @elastic/security-external-integrations

packages/barracuda_waf/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@8.6

packages/barracuda_waf/_dev/build/docs/README.md

@@ -0,0 +1,38 @@
+# Barracuda WAF
+Barracuda Web Application Firewall protects applications, APIs, and mobile app backends against a variety of attacks including the OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks. By combining signature-based policies and positive security with robust anomaly-detection capabilities, Barracuda Web Application Firewall can defeat today’s most sophisticated attacks targeting your web applications.
+
+
+The Barracuda WAF integration allows you to monitor different log types namely - Web Firewall Logs , Network Firewall Logs , Access Logs.
+
+Use the Barracuda WAF integration to ingest log data. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference `data_stream:log` when troubleshooting an issue.
+
+The log formats are specified [here](https://campus.barracuda.com/product/webapplicationfirewall/doc/92767349/exporting-log-formats/).
+
+## Barracuda WAF Firmware version
+
+This integration is built and tested against the Barracuda Web Application Firewall version **12.1**. Earlier versions may work, but have not been tested.
+
+## Data streams
+
+ The Barracuda WAF integration collects one type of `data streams: logs`
+ **Logs** help you keep a record of events happening in Barracuda WAF.
+
+ There is a single data stream that collects different kinds of logs from the barrcuda waf service and visualizes them separately.
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+## Setup
+
+For step-by-step instructions on how to set up an integration, see the
+[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
+
+## Logs
+
+The `barracuda_waf.log` dataset provides events from the configured syslog server. All Barracuda WAF syslog specific fields are available in the `barracuda_waf.log` field group.
+
+{{event "log"}}
+
+{{fields "log"}}

packages/barracuda_waf/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,17 @@
+version: "2.3"
+services:
+  barracuda-waf-tls:
+    image: docker.elastic.co/observability/stream:v0.8.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9581 -p=tls --insecure /sample_logs/barracuda.log
+  barracuda-waf-tcp:
+    image: docker.elastic.co/observability/stream:v0.8.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9580 -p=tcp /sample_logs/barracuda.log
+  barracuda-waf-udp:
+    image: docker.elastic.co/observability/stream:v0.8.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9580 -p=udp /sample_logs/barracuda.log

packages/barracuda_waf/_dev/deploy/docker/sample_logs/barracuda.log

@@ -0,0 +1,8 @@
+<129>2023-03-01 14:54:44.502 +0100  barracuda WF ALER NO_PARAM_PROFILE_MATCH 193.56.29.26 61507 10.9.0.4 443 Hackazon:adaptive_url_42099b4af021e53fd8fd URL_PROFILE LOG NONE [Parameter\="0x\\[\\]" value\="androxgh0st"] POST / TLSv1.2 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30" 20.88.228.79 61507 "-" "-" 1869d743696-dfcf8d96
+<129>2023-03-09 13:32:49.219 +0100  barracuda NF ALER TCP 107.150.105.183 33905 10.9.0.4 80 DENY SSH_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
+<129>2023-03-09 13:22:20.996 +0100  barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
+<134>2023-03-20 17:23:03.264 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 11610 "-" "-" POST TLSv1.2 67.43.156.2 HTTP/1.1 404 791 322 0 1 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /aws.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 11610 "-" "-" "-" "-" 186ffd4d35f-e2c1ae09
+<129>2023-03-01 14:54:44.502 +0100  barracuda WF ALER UNKNOWN_CONTENT_TYPE 193.56.29.26 61507 10.9.0.4 443 Hackazon:adaptive_url_42099b4af021e53fd8fd URL_PROFILE LOG NONE [Content-type\="application/x-www-form-urlencoded"] POST / TLSv1.2 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30" 20.88.228.79 61507 "-" "-" 1869d743696-dfcf8d96
+<129>2023-03-09 13:56:18.404 +0100  barracuda NF ALER TCP 172.105.128.11 57296 10.9.0.4 80 DENY SSH_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
+<134>2023-03-20 17:22:36.102 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 65483 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 240 0 0 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /sendgrid.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 65483 "-" "-" "-" "-" 186ffd46946-e5bacdd0
+<129>2023-03-09 13:22:20.996 +0100  barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny

packages/barracuda_waf/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: Barracuda WAF package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5493

packages/barracuda_waf/data_stream/log/_dev/test/pipeline/test-access.log

@@ -0,0 +1,6 @@
+<134>2023-03-20 17:24:08.959 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 8210 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 293 0 3 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID / XDEBUG_SESSION_START=phpstorm http://20.84.207.59:80/?XDEBUG_SESSION_START=phpstorm "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 216.160.83.56 8210 "-" "-" "-" "-" 186ffd5d3fc-db6c9f3
+<134>2023-03-20 17:24:05.197 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 20783 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 503 877 113 0 189 1.128.0.1 443 0 "-" INTERNAL PROFILED PROTECTED INVALID /t4 "-" "-" "-" "Mozilla/5.0" 216.160.83.56 20783 "-" "-" "-" "-" 186ffd5c490-e0b89cc7
+<134>2023-03-20 17:23:52.432 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 29444 "-" "-" GET TLSv1.2 petstore.sec-vanderwal.nl HTTP/1.1 200 14877 292 0 128 1.128.0.1 9000 1 "-" SERVER PROFILED PASSIVE VALID /api/swagger.json "-" https://20.225.112.107/?XDEBUG_SESSION_START=phpstorm "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 216.160.83.56 29444 "-" "-" "-" "-" 186ffd592ef-9baa30e
+<134>2023-03-20 17:23:03.264 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 11610 "-" "-" POST TLSv1.2 67.43.156.2 HTTP/1.1 404 791 322 0 1 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /aws.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 11610 "-" "-" "-" "-" 186ffd4d35f-e2c1ae09
+<134>2023-03-20 17:22:36.102 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 65483 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 240 0 0 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /sendgrid.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 65483 "-" "-" "-" "-" 186ffd46946-e5bacdd0 
+<134>2014-04-11 12:11:24.964 +0530  wafbox1 TR 81.2.69.144 80 1.128.0.1 43740 "-" "-" GET HTTP 81.2.69.144 HTTP/1.1 200 2837 232 0 1008 1.128.0.1 80 10 REQ-0+RES-0   SERVER DEFAULT PASSIVE VALID /index.html name=srawat http://81.2.69.144/index.cgi namdksih=askdj "Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0" 1.128.0.1 43740 John gzip,deflate 2001::128 keep-alive 186ffd46946-e5bacdd0

packages/barracuda_waf/data_stream/log/_dev/test/pipeline/test-access.log-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event