Forum Discussion

ar0's avatar
ar0
Icon for Nimbostratus rankNimbostratus
Jan 08, 2020

bot defense -> IBM Qradar issue

Hey all,

I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar.

I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the payload, disrupting Qradar parser. I tried switching from tcp to udp to no avail. the additional payload is seemingly random.

Did anyone encounter similar problem?

 tcpdump -i EXT-ASA-VLAN -c 2 host 10.111.111.100 and dst port 514 -vvvv -nn -ASs 1514
tcpdump: listening on EXT-ASA-VLAN, link-type EN10MB (Ethernet), capture size 1514 bytes
12:49:54.926122 IP (tos 0x0, ttl 255, id 20545, offset 0, flags [none], proto TCP (6), length 2785)
   10.234.111.165.60939 > 10.111.111.100.514: Flags [P.], seq 3888336727:3888339472, ack 4155562241, win 4380, length 2745
E.
.PA....ls          <---------------this is weird stuff glued to payload
  .o.
....OW....P.......
  
  <rest of payload goes here>
  

  • ar0's avatar
    ar0
    Icon for Nimbostratus rankNimbostratus
    that's how it was made
     
     
     
     
     
    sys log-config publisher pub-qrad-dos {
     
      app-service none
     
      description none
     
      destinations {
     
        dest-qrad-dos2 { }
     
      }
     
     
     
    sys log-config destination splunk dest-qrad-dos2 {
     
      app-service none
     
      description none
     
      forward-to dest-qrad-dos
     
    }
     
     
     
    sys log-config destination remote-high-speed-log dest-qrad-dos {
     
      app-service none
     
      description none
     
      distribution replicated
     
      pool-name pool-log-qrad-dos
     
      protocol udp
     
    }
     
     
     
     
     
    ltm pool pool-log-qrad-dos {
     
      members {
     
        qradar:514 {
     
          address 10.111.111.100
     
          session monitor-enabled
     
          state up
     
        }
     
      }
     
      monitor tcp
     
    }
     
     
     
    (logging profile)
     
     
     
    ext-to-qradar
     
    [api-status-warning] security/log/profile, properties : deprecated : application/local-storage
     
    security log profile ext-to-qradar {
     
      application {
     
        ext-to-qradar {
     
          filter {
     
            request-type {
     
              values { illegal-including-staged-signatures }
     
            }
     
          }
     
          local-storage disabled
     
          logger-type remote
     
          maximum-entry-length 64k
     
          remote-storage splunk
     
          report-anomalies enabled
     
          servers {
     
            10.111.111.100:514 { }
     
          }
     
        }
     
      }
     
      bot-defense {
     
        ext-to-qradar {
     
          filter {
     
            log-alarm enabled
     
            log-block enabled
     
            log-browser-verification-action enabled
     
            log-captcha enabled
     
            log-device-id-collection-request enabled
     
            log-malicious-bot enabled
     
            log-rate-limit enabled
     
            log-suspicious-browser enabled
     
            log-tcp-reset enabled
     
            log-unknown enabled
     
            log-untrusted-bot enabled
     
     }
     
          local-publisher local-db-publisher
     
          remote-publisher pub-qrad-dos
     
        }
     
      }
     
      dos-application {
     
        ext-to-qradar {
     
          local-publisher local-db-publisher
     
          remote-publisher pub-qrad-dos
     
        }
     
      }
     
    }
     
     
    • The Log Destination is of type "splunk", so I wonder whether the additional data may be splunk specific, but I am not familiar with Splunk logging.

       

      Try capturing to a pcap, and take a look in Wireshark - it may provide an additional dissection information.

  • ar0's avatar
    ar0
    Icon for Nimbostratus rankNimbostratus

    I tried to change it to other types than splunk and didn't work - I received a warning "Bot Defense logging can only be of Splunk type"... I'll do some more digging and also check on the QRadar side what can be done.