Forum Discussion

Aantat's avatar
Icon for Cirrus rankCirrus
Jan 13, 2023

Send Attackers IP to another system via API

Hi experts!

I'm newbie here and I need your help. I have a task to send Attackers IP to another system via API. For example I've a ASM and there are some triggered violation. I want to send that Attackers IP from that event to another system via API. Any thoughts on that? Is it possible to do?

12 Replies

  • xuwen's avatar
    Icon for Cumulonimbus rankCumulonimbus

    send POST method should use the iRules sideband method. The difficulty is whether your server POST does not require username, password or Token authentication about F5?

    firstly, F5 whether can ping NGFW and telnet NGFW 80(assume NGFW api service port is 80)?

    secondly, if F5 can not telnet NGFW 80,  F5 need to add network route to NGFW, make sure F5 can telnet NGFW 80

    here is the code, NGFW(example NGFW ip is, api service port is 80) with no authentication for POST 


    when ASM_REQUEST_DONE priority 500 {
        set asm_ip [ASM::client_ip]
        set asm_json "\{\"Client_address\":$asm_ip\}"
        set content_length [string length $asm_json]
        set data "POST /sample/post/json HTTP/1.0\r\nHost:\r\nContent-type: application/json\r\nContent-Length: ${content_length}\r\n\r\n${asm_json}"
        if { [catch {connect -time 1000 -idle 30 -status conn_status} conn_id] == 0 && $conn_id ne "" } {
            log local0. "Connect returns: $conn_id and conn status: $conn_status"
            set send_bytes [send -timeout 1000 -status send_status $conn_id $data]
            log local0. "Sent $send_bytes with status $send_status"
            close $conn_id
        } else {
            log local0. "Connection could not be established to NGFW"



  • xuwen's avatar
    Icon for Cumulonimbus rankCumulonimbus

    Because you haven't given the complete format of the call api of curl - v and the http response header, the following code uses iRulesLX to send two https posts, which is equivalent to the effect of twice curl https formats:

    1. curl -sku 'admin:xt32112300' -X POST

    NGFW Cookie is in HTTP response header "Set-Cookie"

    so, the next https post is bring cookie in http request header "Cookie"

    2. curl -skv -X POST -H "Content-Type: application/json" -H "Cookie: XXXXX" -d '{"Client_address": "x.x.x.x"}'

    iRules code:


    when ASM_REQUEST_DONE priority 500 {
        set asmip [ASM::client_ip]
        set handle [ILX::init "ilxlab3_pl" "ilxlab3_ext"]
        if { [catch {ILX::call $handle jsonPost $asmip} result] } {
            # Error handling
            log local0.error  "Client - [IP::client_addr], ILX failure: $result"  
        } else {
            # Log NGFW second https response body
            log local0. "result is $result"


    iRulesLX code:


    'use strict' // Just for best practices
    // Import modules here
    var f5 = require('f5-nodejs');
    //var qs = require('querystring'); // Used for parsing the POST data querystring
    const https = require('https');
    // Create an ILX server instance
    var ilx = new f5.ILXServer();
    // This method will transform POST data into JSON
    ilx.addMethod('jsonPost', function (req, res) {
      var options = {
        //hostname: '',
        hostname: '',
        port: 443,
        path: '/auth/login',
        method: 'POST',
        auth: 'admin:xt32112300',
        rejectUnauthorized: false
      var postclientip = req.params()[0];
      let httpBody = '';
      const req_post = https.request(options, (res1) => {
        console.log('statusCode:', res1.statusCode);
        console.log('header', res1.headers['set-cookie'])
        if (Array.isArray(res1.headers['set-cookie'])) {
            var ngfw_cookie = res1.headers['set-cookie']
            var post_asm_ip = postclientip
            var post_data = JSON.stringify({
                'Client_address': post_asm_ip
            options.headers = {
                'Content-Type': 'application/json',
                'Content-Length': post_data.length,
                'Cookie': ngfw_cookie
            options.path = '/sample/post/json';
            var post_req = https.request(options, (res2) => {
                res2.on('data', (d) => {
                    httpBody += d;
                res2.on('end', ()=> {
                    console.log(`response data: ${httpBody}`); 
                    res.reply(['successful', httpBody]);
            post_req.on('error', (e) => {
                res.reply('failed bring cookie post')
      req_post.on('error', (e) => {
      // Turn postData object into JSON and return to TCL
    //Start the ILX server



  • HI Aantat, what kind of system is the other system, and did you want to manage those messages from a remote system (like pull on system C from system A, push from system C to system B) or just send messages directly from ASM to other systems? More details on what you're trying to accomplish would be helpful, but either way, there's likely a solution we can work out together. Let me know!

    • Aantat's avatar
      Icon for Cirrus rankCirrus

      Hi JRahm!

      So I have a NGFW and F5 WAF. My goal is every time when there is some Security Event triggered, send Attackers IP from that Event to my NGFW via API. Hope I make it clear.


      • From what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.