Forum Discussion

PowerShellDon_1's avatar
PowerShellDon_1
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

ASM - Proactive Bot Defense - No Logs?

Hi all I have a Virtual Server with an Application Security and DoS Profile applied to it. The DoS profile just contains Proactive Bot Defense, Always On. Other features of DoS profile are off.

 

I can see it working when turned on, by cURL'ing the site and seeing the JS response.

 

However these events aren't showing up in any logs, is that expected? It would be nice to be able to see blocked/denied requests to the site to ensure i haven't broken journeys for our customers.

 

Any help would be much appreciated

 

  • I have the following iRule that at least the browser detection is working; however I'm uncertain as to how to test the tcp_rst action.

    when BOTDEFENSE_ACTION {
        if { [BOTDEFENSE::action] eq "browser_challenge" || [BOTDEFENSE::action] eq "tcp_rst" }  {
            set log "BOTDEFENSE:"
            set hsl [HSL::open -proto TCP -pool /Common/HSL-Syslog]
            append log " source [IP::remote_addr]"
            append log " vs [virtual]"
            append log " host [HTTP::host]"
            append log " uri [HTTP::uri]"
            append log " cs_possible [BOTDEFENSE::cs_possible]"
            append log " cs_allowed [BOTDEFENSE::cs_allowed]"
            append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
            append log " cookie_status [BOTDEFENSE::cookie_status]"
            append log " cookie_age [BOTDEFENSE::cookie_age]"
            append log " device_id [BOTDEFENSE::device_id]"
            append log " captcha_status [BOTDEFENSE::captcha_status]"
            append log " captcha_age [BOTDEFENSE::captcha_age]"
            append log " default action [BOTDEFENSE::action]"
            append log " reason \"[BOTDEFENSE::reason]\""
         Remove comment on line below if you want to see bot defense logs in /var/log/ltm
            log local0. $log
           HSL::send $hsl $log
           }
         }
    

    /jeff

  • Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

     

    TAC informed me it is not yet available v13, but this thread says different who is right?

     

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      Okay, so at first I was not seeing any events being logged. The reason was the script I was using was triggering the browser_challenge action and it was never making it past that part. When I changed the BOTDEFENSE::action to broswer_challenge I saw the events in the LTM log. I have a few more questions. First is tcp_rst the most optimal action to log against. The second is, instead of writing to LTM, is there a way to log to ASM. The last question would be is there a way to stack the BOTDEFENSE::action response? Say tcp_rst and browser_challenge? Thank you again for the responses and guidance. You have provided more than I've been able to accomplish on my own and I'm grateful.

       

      BOTDEFENSE::action Returns the action to be taken by Bot Defense: how the received HTTP request is handled. The returned value is one of the following strings:

       

      1. undetermined - the action has not yet been determined; this should only be returned upon an error
      2. allow - the HTTP request is allowed to go up the chain
      3. browser_challenge - a browser challenge (HTML + JavaScript) is to be responded to the client
      4. captcha_challenge - a CAPTCHA challenge is to be responded to the client
      5. redirect_challenge - a redirection challenge (307 redirect) is to be responded to the client
      6. tcp_rst - the TCP connection is to be closed using TCP RST
      7. redirect_to_referring_domain - a 307 redirect response is to be sent to the client, redirecting it to the referring domain
      8. internal_bigip_response - a response is to be sent to the client, without forwarding the HTTP request up the chain; the response is an internal part of the Bot Defense mechanism
      9. redirect_with_cookie - a 307 redirect response is to be sent to the client, and this response is an internal port of the Bot Defense mechanism
      10. custom_response - a custom response is to be sent to the client
      11. custom_redirect - a custom redirect response is to be sent to the client

      /jeff

       

    • Dan_Pacheco's avatar
      Dan_Pacheco
      Icon for Cirrus rankCirrus

      Hi Jeff, The first part is not required. You can start it off with when BOTDEFENSE_ACTION {

       

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!

       

      /jeff

       

  • Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

     

    TAC informed me it is not yet available v13, but this thread says different who is right?

     

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      Okay, so at first I was not seeing any events being logged. The reason was the script I was using was triggering the browser_challenge action and it was never making it past that part. When I changed the BOTDEFENSE::action to broswer_challenge I saw the events in the LTM log. I have a few more questions. First is tcp_rst the most optimal action to log against. The second is, instead of writing to LTM, is there a way to log to ASM. The last question would be is there a way to stack the BOTDEFENSE::action response? Say tcp_rst and browser_challenge? Thank you again for the responses and guidance. You have provided more than I've been able to accomplish on my own and I'm grateful.

       

      BOTDEFENSE::action Returns the action to be taken by Bot Defense: how the received HTTP request is handled. The returned value is one of the following strings:

       

      1. undetermined - the action has not yet been determined; this should only be returned upon an error
      2. allow - the HTTP request is allowed to go up the chain
      3. browser_challenge - a browser challenge (HTML + JavaScript) is to be responded to the client
      4. captcha_challenge - a CAPTCHA challenge is to be responded to the client
      5. redirect_challenge - a redirection challenge (307 redirect) is to be responded to the client
      6. tcp_rst - the TCP connection is to be closed using TCP RST
      7. redirect_to_referring_domain - a 307 redirect response is to be sent to the client, redirecting it to the referring domain
      8. internal_bigip_response - a response is to be sent to the client, without forwarding the HTTP request up the chain; the response is an internal part of the Bot Defense mechanism
      9. redirect_with_cookie - a 307 redirect response is to be sent to the client, and this response is an internal port of the Bot Defense mechanism
      10. custom_response - a custom response is to be sent to the client
      11. custom_redirect - a custom redirect response is to be sent to the client

      /jeff

       

    • Dan_Pacheco_163's avatar
      Dan_Pacheco_163
      Icon for Cirrus rankCirrus

      Hi Jeff, The first part is not required. You can start it off with when BOTDEFENSE_ACTION {

       

    • jba3126's avatar
      jba3126
      Icon for Cirrus rankCirrus

      Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!

       

      /jeff

       

  • You need to assign a Logging Profile to the virtual server, and make sure you have enabled DoS Logging. Then you should see activity in Event Logs: DoS: Application Events

     

  • A second, related question... can i customise the response somehow? Rather than just 'Please enable JavaScript to view the page content'

     

    • Brandon_12607's avatar
      Brandon_12607
      Icon for Nimbostratus rankNimbostratus

      I am using v13.0 is there a folder in WINSCP i can find to the botdefense logs to download

       

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    PowerShellDon,

     

    On the Virtual Server do you have a Log Profile assigned to it, if not try with log all requests? I believe it is a requirement to capture these logs.

     

    Rgds

     

    N