Forum Discussion
Sergio_Magra
Nimbostratus
NimbostratusLogging a Layer 7 DoS attacker IP through an iRule
Hi, everybody,
We see that sometimes the reporting of application level DoS attacks (inside ASM) does not show the entire information (it does not show the Attacker IP address or the URL d...
Nathan_Houck_65Nimbostratus
NimbostratusHere is an Irule that not only logs the client IP address, but also the HOST, URI, and VIP address
(FYI, Im using 10.2.1 code)
rule ASM_DOS_LOG_RULE {
when CLIENT_ACCEPTED
{
set vip "[IP::local_addr clientside]:[TCP::local_port clientside]"
}
when HTTP_REQUEST
{
set client_request [HTTP::uri]
set host_head [HTTP::host]
}
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_RESPONSE_VIOLATION
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}
{
log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques
t, Client IP=[lindex $x 4]"
}
}
}
