For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ar0's avatar
ar0
Icon for Nimbostratus rankNimbostratus
Jan 08, 2020

bot defense -> IBM Qradar issue

Hey all,

I have a problem with data sent from BIG-IP Bot Defense module to IBM Qradar.

I checked it with tcpdump and it seems that some unnecessary characters are glued at the beginning of the payload, disrupting Qradar parser. I tried switching from tcp to udp to no avail. the additional payload is seemingly random.

Did anyone encounter similar problem? 

 tcpdump -i EXT-ASA-VLAN -c 2 host 10.111.111.100 and dst port 514 -vvvv -nn -ASs 1514
tcpdump: listening on EXT-ASA-VLAN, link-type EN10MB (Ethernet), capture size 1514 bytes
12:49:54.926122 IP (tos 0x0, ttl 255, id 20545, offset 0, flags [none], proto TCP (6), length 2785)
   10.234.111.165.60939 > 10.111.111.100.514: Flags [P.], seq 3888336727:3888339472, ack 4155562241, win 4380, length 2745
E.
.PA....ls          <---------------this is weird stuff glued to payload
  .o.
....OW....P.......
  
  <rest of payload goes here>

BIG-IP
bot defense
devops
qradar
security

4 Replies

  • ar0's avatar
    ar0
    Icon for Nimbostratus rankNimbostratus
    Jan 21, 2020
    that's how it was made
 
 
 
 
 
sys log-config publisher pub-qrad-dos {
 
  app-service none
 
  description none
 
  destinations {
 
    dest-qrad-dos2 { }
 
  }
 
 
 
sys log-config destination splunk dest-qrad-dos2 {
 
  app-service none
 
  description none
 
  forward-to dest-qrad-dos
 
}
 
 
 
sys log-config destination remote-high-speed-log dest-qrad-dos {
 
  app-service none
 
  description none
 
  distribution replicated
 
  pool-name pool-log-qrad-dos
 
  protocol udp
 
}
 
 
 
 
 
ltm pool pool-log-qrad-dos {
 
  members {
 
    qradar:514 {
 
      address 10.111.111.100
 
      session monitor-enabled
 
      state up
 
    }
 
  }
 
  monitor tcp
 
}
 
 
 
(logging profile)
 
 
 
ext-to-qradar
 
[api-status-warning] security/log/profile, properties : deprecated : application/local-storage
 
security log profile ext-to-qradar {
 
  application {
 
    ext-to-qradar {
 
      filter {
 
        request-type {
 
          values { illegal-including-staged-signatures }
 
        }
 
      }
 
      local-storage disabled
 
      logger-type remote
 
      maximum-entry-length 64k
 
      remote-storage splunk
 
      report-anomalies enabled
 
      servers {
 
        10.111.111.100:514 { }
 
      }
 
    }
 
  }
 
  bot-defense {
 
    ext-to-qradar {
 
      filter {
 
        log-alarm enabled
 
        log-block enabled
 
        log-browser-verification-action enabled
 
        log-captcha enabled
 
        log-device-id-collection-request enabled
 
        log-malicious-bot enabled
 
        log-rate-limit enabled
 
        log-suspicious-browser enabled
 
        log-tcp-reset enabled
 
        log-unknown enabled
 
        log-untrusted-bot enabled
 
 }
 
      local-publisher local-db-publisher
 
      remote-publisher pub-qrad-dos
 
    }
 
  }
 
  dos-application {
 
    ext-to-qradar {
 
      local-publisher local-db-publisher
 
      remote-publisher pub-qrad-dos
 
    }
 
  }
 
}
 
    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      Jan 21, 2020

      The Log Destination is of type "splunk", so I wonder whether the additional data may be splunk specific, but I am not familiar with Splunk logging.

       

      Try capturing to a pcap, and take a look in Wireshark - it may provide an additional dissection information.

  • ar0's avatar
    ar0
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2020

    I tried to change it to other types than splunk and didn't work - I received a warning "Bot Defense logging can only be of Splunk type"... I'll do some more digging and also check on the QRadar side what can be done.