Barracuda CloudGen integration
You can integrate Barracuda CloudGen with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Barracuda CloudGen overview
Barracuda CloudGen Firewall offers comprehensive security solutions for cloud and hybrid networks. The firewall improves site-to-site connectivity and enables uninterrupted access to applications hosted in the cloud. With multi-layered defenses, including advanced threat protection and global intelligence networks, Barracuda ensures real-time protection against diverse cyber threats such as ransomware and zero-day attacks. Deployable across physical and cloud environments, it provides integrated SD-WAN capabilities for seamless connectivity and centralised management tools for simplified deployment and comprehensive network visibility.
Sophos documents
What we ingest
Sample alerts seen by Sophos:
Login from IP_ADDRESS: Denied: Firewall Rule RULE
rolled out network relevant configuration files
Load Config from FILE
Plug and Play ACPI device, ID (active)
starting vpn client
FW UDP Connection Limit Exceeded
FW Rule Warning
FW Flood Ping Protection Activated
Alerts ingested in full
We advise you to configure the Detailed Firewall Reporting syslog output from Barracuda CloudGen firewall, but this is subject to significant filtering so that it only only processes useful security alerts.
Most alerts are standardised with regex.
Filtering
We currently filter the noisiest alerts. Filters include the following:
UDP-NEW\\(Normal Operation,0\\)
Session Idle Timeout
\\[Request\\] Allow
\\[Request\\] Remove
\\[Sync\\] Changed: Transport
Session PHS: Authentication request from user
Tunnel has now one working transport
Session -------- Tunnel
Abort TCP transport
Info CHHUNFWHQ-01 Session
: Accounting LOGIN
State: REM\\(Unreachable Timeout,20\\)
read failed\\(IOStreamSock: Receive\\(\\) end of file\\) closing connection
DH attributes found in request, generating new key
\\[Sync\\] Changed: Checking Transports
State: UDP-FAIL\\(Port Unreachable,3\\)
DH key agreement successful
Request Timeout \\(HandshakeRequest ReqState=Init RepState=Init\\) -> terminate session
\\[Sync\\] Local: Update Transport
send fast reply
\\[Sync\\] Session Command
\\[HASYNC\\] update
Transport .* State changed to
Accounting LOGOUT
TCP.*close on command
Rule: Authentication Login
Rule: Authentication Logout
Error.*Request Timeout
Info.*Delete Transport
Info.*\\[HASYNC\\]
Notice.*\\[HASYNC\\]
Warning.*Tunnel Heartbeat failed
Info.*Worker Process.*timeout
Error.*Operation: Poll.*Timeout
Info.*\\(New Request
Info.*\\(Normal Operation
Sample threat mappings
We use fields.message for threat mappings where it's present, or look up a code from the info field of standard event types. See Security Events.
"alertType": "=> searchRegexList(fields.message, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.message, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.message"
Samples:
{"alertType": "Number of child processes automatically set to N based on number of CPU cores and size of RAM", "threatId": "T1057", "threatName": "Process Discovery"}
{"alertType": "found no explicit phase1 aggressive configuration in IP_ADDRESS for client", "threatId": "T1573", "threatName": "Encrypted Channel"}