Forum Discussion
oedo808_68685
Altostratus
AltostratusHow can I alert on an ASM Denial of Service event?
I would like to set an alert when a DoS profile is triggered and I'm asleep or otherwise not logged into the console. We already have alerting similar to this configured in other tools like our SIEM...
Hello,
Your irule is correct.
But, please note that there is some limitations :
The event is invoked on each HTTP request that is involved in a DoS attack--that is, a request that comes from a suspicious client IP address or destined to a suspicious URL with the exception of the following: When the attack prevention mode is CS challenge (client IP address or requested URL) the event is not triggered for any request. When in rate limit mode (client IP address or requested URL) the event is invoked only for attack requests that are not dropped.
And of course, the logs should be visible on the ltm log file. also, you can add the following command [virtual name ] in your logs within irules to identify which VS trigger the event.
You should also verify that the DoS profile is applied on the VS by checking the Security Tab in the VS configuration.
pulse
Nimbostratus
NimbostratusJust choose Splunk as the type in the Log Destination configuration. That just specifics a format where the logs are in key/value pairs. You can then parse whatever relevant information you want in QRadar via log source extension or DSM Editor, since the DOS ASM logs aren't a known format.