ar0
Jan 08, 2020Nimbostratus
bot defense -> IBM Qradar issue
Hey all,
I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar.
I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the payload, disrupting Qradar parser. I tried switching from tcp to udp to no avail. the additional payload is seemingly random.
Did anyone encounter similar problem?
tcpdump -i EXT-ASA-VLAN -c 2 host 10.111.111.100 and dst port 514 -vvvv -nn -ASs 1514
tcpdump: listening on EXT-ASA-VLAN, link-type EN10MB (Ethernet), capture size 1514 bytes
12:49:54.926122 IP (tos 0x0, ttl 255, id 20545, offset 0, flags [none], proto TCP (6), length 2785)
10.234.111.165.60939 > 10.111.111.100.514: Flags [P.], seq 3888336727:3888339472, ack 4155562241, win 4380, length 2745
E.
.PA....ls <---------------this is weird stuff glued to payload
.o.
....OW....P.......
<rest of payload goes here>