Forum Discussion
PowerShellDon_1
Nimbostratus
NimbostratusASM - Proactive Bot Defense - No Logs?
Hi all
I have a Virtual Server with an Application Security and DoS Profile applied to it.
The DoS profile just contains Proactive Bot Defense, Always On. Other features of DoS profile are off.
...
Dan_Pacheco
Cirrus
CirrusStill running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?
TAC informed me it is not yet available v13, but this thread says different who is right?
Yes, you get it natively logged without an iRule in v13.x. Feel free to test this and if you have any questions, let us know.
jba3126All, Does anyone have a working example of an BotDefense iRule that would log events to HSL?
Regards,
/jeff
I would think the page on the BOTDEFENSE_ACTION event would likely answer your questions.
Take a look.
- Dan_Pacheco
is this what you are looking for:
when HTTP_REQUEST { if { ( ( [IP::remote_addr] equals "204.101.196.7") || ( [IP::remote_addr] equals "24.101.196.10") || ( [IP::remote_addr] equals "14.150.21.243") || ( [IP::remote_addr] equals "14.150.21.242") ) } { } else { log local0. "source [IP::remote_addr] host [HTTP::host] uri [HTTP::uri]" } } when BOTDEFENSE_ACTION { if { [BOTDEFENSE::action] eq "tcp_rst" } { set log "BOTDEFENSE:" set hsl [HSL::open -proto TCP -pool /Common/nse_arcsight_pool] append log " source [IP::remote_addr]" append log " vs [virtual]" append log " host [HTTP::host]" append log " uri [HTTP::uri]" append log " cs_possible [BOTDEFENSE::cs_possible]" append log " cs_allowed [BOTDEFENSE::cs_allowed]" append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]" append log " cookie_status [BOTDEFENSE::cookie_status]" append log " cookie_age [BOTDEFENSE::cookie_age]" append log " device_id [BOTDEFENSE::device_id]" append log " captcha_status [BOTDEFENSE::captcha_status]" append log " captcha_age [BOTDEFENSE::captcha_age]" append log " default action [BOTDEFENSE::action]" append log " reason \"[BOTDEFENSE::reason]\"" Remove comment on line below if you want to see bot defense logs in /var/log/ltm log local0. $log HSL::send $hsl $log }}
- jba3126
Dan, First off thank you for the response and sample iRule! I'm uncertain about the first part as we have connections from multiple source addresses, but it looks like you are excluding logging connections from two sources and logging everything else? The second part looks like something we are looking for. Do you run with the log local, HSL/Remote or both?
Jeff,
The first part of the iRule can be event or conditions you want it to be. The second part of the irule is the BOTDEFENSE_ACTION is the part covered by the page on BOTDEFENSE_ACTION.
It might still be a good idea to review that page and get a better understanding and context.
- Dan_Pacheco
Hey Jeff, Your welcome. I typically run with the local logging commented out. Then when I need to troubleshoot, I remove the comments and see the logs on the CLI instead of accessing them from Arcsight.
- jba3126
Dan, Do you log all connecting IPs with exception of the excluded ones to your local log (when HTTP_REQUEST) or is that for troubleshooting as well?
/jeff
- Dan_Pacheco
Yes, I do. The exclude IPs are from Health Checking devices.
- jba3126
Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!
/jeff
