Forum Discussion
Sergio_Magra
Nimbostratus
NimbostratusLogging a Layer 7 DoS attacker IP through an iRule
Hi, everybody,
We see that sometimes the reporting of application level DoS attacks (inside ASM) does not show the entire information (it does not show the Attacker IP address or the URL destination). It is the result of a known behavior (see the solutions SOL13004 and SOL13544).
Is there any way to take note of the attacker IP address by using an iRule?
Thanks and Best regards
Sergio
Nathan_Houck_65Here is an Irule that not only logs the client IP address, but also the HOST, URI, and VIP address
(FYI, Im using 10.2.1 code)
rule ASM_DOS_LOG_RULE {
when CLIENT_ACCEPTED
{
set vip "[IP::local_addr clientside]:[TCP::local_port clientside]"
}
when HTTP_REQUEST
{
set client_request [HTTP::uri]
set host_head [HTTP::host]
}
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_RESPONSE_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
}