For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Aug 02, 2022
Solved

Is there a way for the F5 AFM Protocol Inspection signature match to automatically do pcap capture?

Hello,

 

Is there a way for the F5 AFM Protocol Inspection signature match to automatically do tcpdump pcap capture and save it to a file? The idea is when a signature is triggered by the IPS to to capture the bad packet if it is a false positive, so it can be reviewed.

AFM
application delivery
security
  • Nikoolayy1's avatar
    Nikoolayy1
    Aug 11, 2022

    Hello, As for now in the security logging profile there seems to be a tab called " log packet payload" for the Protocol Inspection logging that should do the job πŸ™‚ The only issue is that the payload that triggered the violation is saved as hex but a converter solves this this issue.

2 Replies

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Aug 11, 2022

    Hello, As for now in the security logging profile there seems to be a tab called " log packet payload" for the Protocol Inspection logging that should do the job πŸ™‚ The only issue is that the payload that triggered the violation is saved as hex but a converter solves this this issue.

  • Greasy_Pretzel's avatar
    Greasy_Pretzel
    Ret. Employee
    Feb 01, 2023

    As the payload may be large or there would be a large number of logs generated, it would be better to send the logs to a remote logging server.