Forum Discussion
oedo808_68685
Altostratus
AltostratusHow can I alert on an ASM Denial of Service event?
I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM...
Hello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.
Yann_Desmarest
Cirrus
CirrusHello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.
oedo808_68685Okay thank you. This event then does not do exactly what I'm looking for. Is there any way to send an event to SYSLOG, or anything else external, when a DoS is occurring, when mitigation is performed, and when the attack is over?- Yann_DesmarestYou can define a specific logging profile on ASM. You define the remote logging servers and the pattern of the log. I use it to send custom alerts to splunk, Arcsight, graylog, Big-IQ, etc.
- oedo808_68685That's exactly what I want, but when I check DoS Protection under the Security>Event Logs>Logging Profiles, choose DoS protection, and choose my QRadar Publisher, pointed to my QRadar SYSLOG pool, I get the following message: 0107161f:3: Log publisher '/Common/QRadar-Publisher' used by Application DoS Security log profile can have only ArcSight or Splunk destinations.
- oedo808_68685If I only have Application Security set up with an external logging profile will I get DoS triggered event logs? I have not tested whether I receive events related to DoS anything with ONLY Application Security logging configured, mostly because DoS Protection has it's own logging options.
John_Marston_29Nimbostratus
Was there a determination on how to easily configure alerting to a SIEM or Syslog server when a DOS profile is triggered? Regardless if blocking/transparent is chosen?