Forum Discussion
ASM, Reporting on brute force attacks not working
Hi all,
I've implemented brute force protection for HTML form based and a JSON form based login pages using ASM 13.0 HF2. This is working fine in both cases - requests are blocked when the thresholds for failed logins are exceeded and I get the correct violation in the request logs (Security>>Event Logs:Application:Requests), namely "Brute Force: Maximum login attempts are exceeded" and attack type: "Brute force Attack".
However I don't get a single entry in neither the event log for Brute Force (Security>>Event Logs:Application:Brute Force Attacks) nor the Brute Force report (Security>>Reporting:Application:Brute Force Attacks).
What am I missing?
Thank you very much and kind regards,
gha
- samstepCirrocumulus
Are you getting anything in Event Logs/Requests? Maybe you forgot to assign a Logging Profile to this virtual server?
- samstepCirrocumulus
If you are using ASM v13.0 then it is likely to be a bug - please raise a support case with F5
- ghaNimbostratus
Hi all,
I did some extensive testing and I think there was some misconception on my part.
There are two types of Brute Force detection within ASM. One would be the session based detection where just the failed logon attempts from a single IP/session are counted within a certain time frame. This the one I provoked in my earlier tests and such attempts are logged with violations mentioned above in the request log. But those session-based violations do not appear in the Brute Force logs or reports.
Then there is the dynamic Brute Force detection that's focuses not on a single client or session but monitors the logon events for the destination / login page. So after some tampering with the detection parameters I was able to provoke such dynamic Brute Force attempts as well. And for those it seems to be the other way around. Those detected dynamic events show up in the Brute Force logs and reports, complete with a start and end time of the attack. But they are not logged in the request log and don't have a violation assigned.
So it seems like you would have to run two different reports for a complete Brute Force overview
1) for session-based one could use the application traffic overview under
Security>>Overview:Application:Traffic
and filter for Brute Force violation or attack. This will not contain any of the dynamice stuff, just the attempts that triggered a violation.
2) for dynamic Brute Force attempts use
Security>>Event Logs:Application:Brute Force Attacks or
Security>>Reporting:Application:Brute Force Attacks
I'm still not a hundred percent sure whether this is the expected behavior because the manual says
"... Before you can look at the brute force attack statistics, you need to have configured session-based or dynamic brute force protection. ..."
And it obviously doesn't do anything for session-based detection.
It would still be nice to get a definitive answer on this. But that's how it looks for me at the moment.
Kind Regards,
gha
- BobowCirrus
Please update you BIGIP OS to Ver 15.x, you will see report on event logs.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com