Forum Discussion

oedo808_68685's avatar
oedo808_68685
Icon for Altostratus rankAltostratus
Mar 15, 2016
Solved

How can I alert on an ASM Denial of Service event?

I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM...
ASM Advanced WAF
dos
iRules
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Mar 15, 2016

    Hello,

     

    Your irule is correct.

     

    But, please note that there is some limitations :

     

    The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.

     

    And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.

     

    You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.

     

Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Mar 15, 2016

Hello,

 

Your irule is correct.

 

But, please note that there is some limitations :

 

The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.

 

And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.

 

You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.

 

  • oedo808_68685's avatar
    oedo808_68685
    Icon for Altostratus rankAltostratus
    Mar 16, 2016
    Okay thank you. This event then does not do exactly what I'm looking for. Is there any way to send an event to SYSLOG, or anything else external, when a DoS is occurring, when mitigation is performed, and when the attack is over?
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Mar 16, 2016
    You can define a specific logging profile on ASM. You define the remote logging servers and the pattern of the log. I use it to send custom alerts to splunk, Arcsight, graylog, Big-IQ, etc.
  • oedo808_68685's avatar
    oedo808_68685
    Icon for Altostratus rankAltostratus
    Mar 16, 2016
    That's exactly what I want, but when I check DoS Protection under the Security>Event Logs>Logging Profiles, choose DoS protection, and choose my QRadar Publisher, pointed to my QRadar SYSLOG pool, I get the following message: 0107161f:3: Log publisher '/Common/QRadar-Publisher' used by Application DoS Security log profile can have only ArcSight or Splunk destinations.
  • oedo808_68685's avatar
    oedo808_68685
    Icon for Altostratus rankAltostratus
    Mar 16, 2016
    If I only have Application Security set up with an external logging profile will I get DoS triggered event logs? I have not tested whether I receive events related to DoS anything with ONLY Application Security logging configured, mostly because DoS Protection has it's own logging options.
  • John_Marston_29's avatar
    John_Marston_29
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2017

    Was there a determination on how to easily configure alerting to a SIEM or Syslog server when a DOS profile is triggered? Regardless if blocking/transparent is chosen?