Forum Discussion

igor_'s avatar
igor_
Icon for Cirrus rankCirrus
Sep 04, 2024

F5 Malicious Source IP Address Alert

Hi all,

 

Recently we had F5 detect an ongoing malicious attack which we saw on the panel Security > Event Logs > Application > Requests.

 

 

Is there a way to configure F5 to send an alert email to our NOC team in real time whenever this happens?

 

BR,

 

  • The malicious IP means that this ip has done more than 10 violations.

     

    Malicious Source IP Addresses (f5.com)

     

    You can make and schedule ASM/AWAF default or custom report  and send it by email:

     

    Scheduling Reports (f5.com)

     

    BIG-IP AWAF Demo 19 - Use Security Policy Logging and Reporting w/ F5 BIG-IP Adv WAF (formerly ASM) (youtube.com)

     

    You can see also session tracking to block ip addresses that generate too many violations and then configure the report for this violation or look into your SIEM for the violation:

     

    Preventing Session Hijacking and Tracking User Sessions (f5.com)

     

    Configuring user session tracking (f5.com)

  • You can send this logs if you have any external lov server. For example if splunk act as a ext log server, it can can create alerts via ticketing tool(for eg: service now)

  • Ok, we have Graylog for that. But do you know what kind of alert is sent to the log server, since I can't see that now because it's rotated out.

     

    And do you know if F5 has any form of alerting for this type of thing? It is strange to me that a system that big can't send alert emails when something happens and no one is looking at the screen atm.

     

    Thanks,

    Igor

  • This is part of asm and if you create a better asm logging profile for remote logging, this will share to graylog. They can create alerts from greylog events.

    https://my.f5.com/manage/s/article/K000138970

    Logging - https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/12.html

    • igor_'s avatar
      igor_
      Icon for Cirrus rankCirrus

      Thanks, but why can't F5 BIG-IP send an email alert in real-time, without doing this on another system? Can this be done too?

      And not just setting reporting to every 6, 12, 24 hours.

       

      BR,

      Igor

      • You have to ask why F5 doesn’t want to do it. If you give the users option to send emails in real time then if you have 100 attacks a second you will get 100 emails and over utilize your F5 device as it has to generate emails and the F5 device is not made for mass sending of emails in real time. Most vendors don't even send emails in the form of reports, so for me this enough as a F5 capability. For real time emails this is what SIEM like splunk or ELK are for as to get the logs from many systems and generate alarms and emails or even nowadays XSOAR SIEM can use api to block the bad ip addresses detected by the F5 ASM/AWAF at the edge firewall or even stubbing Center level.