How can I alert on an ASM Denial of Service event?
I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM so I was hoping I could just send a SYSLOG alert when the profile is triggered and mitigations are applied. Our SIEM is IBM QRadar and not Splunk or ArcSight so we're unable to use DoS high speed logging, which would be overkill anyways as I'm only looking for something to indicate there is a problem and not forward detailed information about what triggered the event.
I've found the IN_DOSL7_ATTACK iRule event but so far I've found two issues
-
I'm not sure how to capture what pool or DoS profile is firing. I need this to determine the criticality of the service.
-
I cannot seem to get it to work, even when logging to local0:
Here is what I could not get to work. It was applied to the correct pool and I was able to create a DoS event that showed up in Security>Reporting>DoS.
when IN_DOSL7_ATTACK {
log local0. "Attacker IP: $DOSL7_ATTACKER_IP, Mitigation: $DOSL7_MITIGATION"
}
I'm looking at /var/log/ltm which is where I saw my other iRule logging. Is this the right location?
Hello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.