Forum Discussion

oedo808_68685's avatar
oedo808_68685
Icon for Altostratus rankAltostratus
Mar 15, 2016
Solved

How can I alert on an ASM Denial of Service event?

I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM so I was hoping I could just send a SYSLOG alert when the profile is triggered and mitigations are applied. Our SIEM is IBM QRadar and not Splunk or ArcSight so we're unable to use DoS high speed logging, which would be overkill anyways as I'm only looking for something to indicate there is a problem and not forward detailed information about what triggered the event.

I've found the IN_DOSL7_ATTACK iRule event but so far I've found two issues

  1. I'm not sure how to capture what pool or DoS profile is firing. I need this to determine the criticality of the service.

  2. I cannot seem to get it to work, even when logging to local0:

Here is what I could not get to work. It was applied to the correct pool and I was able to create a DoS event that showed up in Security>Reporting>DoS.

when IN_DOSL7_ATTACK {
     log local0. "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
}

I'm looking at /var/log/ltm which is where I saw my other iRule logging. Is this the right location?

ASM Advanced WAF
dos
iRules
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Mar 15, 2016

    Hello,

     

    Your irule is correct.

     

    But, please note that there is some limitations :

     

    The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.

     

    And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.

     

    You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.

     

13 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Mar 15, 2016

    Hello,

     

    Your irule is correct.

     

    But, please note that there is some limitations :

     

    The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.

     

    And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.

     

    You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.

     

    • oedo808_68685's avatar
      oedo808_68685
      Icon for Altostratus rankAltostratus
      Mar 16, 2016
      Okay thank you. This event then does not do exactly what I'm looking for. Is there any way to send an event to SYSLOG, or anything else external, when a DoS is occurring, when mitigation is performed, and when the attack is over?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Mar 16, 2016
      You can define a specific logging profile on ASM. You define the remote logging servers and the pattern of the log. I use it to send custom alerts to splunk, Arcsight, graylog, Big-IQ, etc.
    • oedo808_68685's avatar
      oedo808_68685
      Icon for Altostratus rankAltostratus
      Mar 16, 2016
      That's exactly what I want, but when I check DoS Protection under the Security>Event Logs>Logging Profiles, choose DoS protection, and choose my QRadar Publisher, pointed to my QRadar SYSLOG pool, I get the following message: 0107161f:3: Log publisher '/Common/QRadar-Publisher' used by Application DoS Security log profile can have only ArcSight or Splunk destinations.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Mar 15, 2016

    Hello,

     

    Your irule is correct.

     

    But, please note that there is some limitations :

     

    The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.

     

    And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.

     

    You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.

     

    • oedo808_68685's avatar
      oedo808_68685
      Icon for Altostratus rankAltostratus
      Mar 16, 2016
      Okay thank you. This event then does not do exactly what I'm looking for. Is there any way to send an event to SYSLOG, or anything else external, when a DoS is occurring, when mitigation is performed, and when the attack is over?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Mar 16, 2016
      You can define a specific logging profile on ASM. You define the remote logging servers and the pattern of the log. I use it to send custom alerts to splunk, Arcsight, graylog, Big-IQ, etc.
    • oedo808_68685's avatar
      oedo808_68685
      Icon for Altostratus rankAltostratus
      Mar 16, 2016
      That's exactly what I want, but when I check DoS Protection under the Security>Event Logs>Logging Profiles, choose DoS protection, and choose my QRadar Publisher, pointed to my QRadar SYSLOG pool, I get the following message: 0107161f:3: Log publisher '/Common/QRadar-Publisher' used by Application DoS Security log profile can have only ArcSight or Splunk destinations.
  • pulse's avatar
    pulse
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2018

    Just choose Splunk as the type in the Log Destination configuration. That just specifics a format where the logs are in key/value pairs. You can then parse whatever relevant information you want in QRadar via log source extension or DSM Editor, since the DOS ASM logs aren't a known format.