Forum Discussion
ar0
Nimbostratus
Nimbostratusbot defense -> IBM Qradar issue
Hey all,
I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar.
I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the payload, disrupting Qradar parser. I tried switching from tcp to udp to no avail. the additional payload is seemingly random.
Did anyone encounter similar problem?
tcpdump -i EXT-ASA-VLAN -c 2 host 10.111.111.100 and dst port 514 -vvvv -nn -ASs 1514
tcpdump: listening on EXT-ASA-VLAN, link-type EN10MB (Ethernet), capture size 1514 bytes
12:49:54.926122 IP (tos 0x0, ttl 255, id 20545, offset 0, flags [none], proto TCP (6), length 2785)
10.234.111.165.60939 > 10.111.111.100.514: Flags [P.], seq 3888336727:3888339472, ack 4155562241, win 4380, length 2745
E.
.PA....ls <---------------this is weird stuff glued to payload
.o.
....OW....P.......
<rest of payload goes here>
Simon_BlakelyEmployee
What is the log profile and log destination configuration?
ar0that's how it was made sys log-config publisher pub-qrad-dos { app-service none description none destinations { dest-qrad-dos2 { } } sys log-config destination splunk dest-qrad-dos2 { app-service none description none forward-to dest-qrad-dos } sys log-config destination remote-high-speed-log dest-qrad-dos { app-service none description none distribution replicated pool-name pool-log-qrad-dos protocol udp } ltm pool pool-log-qrad-dos { members { qradar:514 { address 10.111.111.100 session monitor-enabled state up } } monitor tcp } (logging profile) ext-to-qradar [api-status-warning] security/log/profile, properties : deprecated : application/local-storage security log profile ext-to-qradar { application { ext-to-qradar { filter { request-type { values { illegal-including-staged-signatures } } } local-storage disabled logger-type remote maximum-entry-length 64k remote-storage splunk report-anomalies enabled servers { 10.111.111.100:514 { } } } } bot-defense { ext-to-qradar { filter { log-alarm enabled log-block enabled log-browser-verification-action enabled log-captcha enabled log-device-id-collection-request enabled log-malicious-bot enabled log-rate-limit enabled log-suspicious-browser enabled log-tcp-reset enabled log-unknown enabled log-untrusted-bot enabled } local-publisher local-db-publisher remote-publisher pub-qrad-dos } } dos-application { ext-to-qradar { local-publisher local-db-publisher remote-publisher pub-qrad-dos } } }- Simon_Blakely
The Log Destination is of type "splunk", so I wonder whether the additional data may be splunk specific, but I am not familiar with Splunk logging.
Try capturing to a pcap, and take a look in Wireshark - it may provide an additional dissection information.
- ar0
I tried to change it to other types than splunk and didn't work - I received a warning "Bot Defense logging can only be of Splunk type"... I'll do some more digging and also check on the QRadar side what can be done.