Forum Discussion

Sergio_Magra's avatar
Sergio_Magra
Icon for Nimbostratus rankNimbostratus
May 02, 2012

Logging a Layer 7 DoS attacker IP through an iRule

Hi, everybody,     We see that sometimes the reporting of application level DoS attacks (inside ASM) does not show the entire information (it does not show the Attacker IP address or the URL d...
application delivery
dev
devops
iRules
Nathan_Houck_65's avatar
Nathan_Houck_65
Icon for Nimbostratus rankNimbostratus
May 02, 2012
Here is an Irule that not only logs the client IP address, but also the HOST, URI, and VIP address

 

(FYI, Im using 10.2.1 code)

 

 

rule ASM_DOS_LOG_RULE {

 

when CLIENT_ACCEPTED

 

{

 

set vip "[IP::local_addr clientside]:[TCP::local_port clientside]"

 

}

 

 

when HTTP_REQUEST

 

{

 

set client_request [HTTP::uri]

 

set host_head [HTTP::host]

 

}

 

 

when ASM_REQUEST_VIOLATION

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

when ASM_RESPONSE_VIOLATION

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

when ASM_REQUEST_BLOCKING

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

}