For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Akshay_SK's avatar
Akshay_SK
Icon for Nimbostratus rankNimbostratus
Jan 27, 2020
Solved

Sending HSL data in json format.

Just wanted to know if data can be sent via HSL in json format as below : 

HSL::send $hsl "{ "Attacker_IP":$remoteip, "Destination_IP":[IP::local_addr], "User-Agent":$useragent, "ISP":$isp, "Country":$country, "Original_Domain":[HTTP::host], "Original_URI":[HTTP::uri], "Fully_decoded_URI":$decodedUri, "Timestamp":$timestamp, "XFF_Header":[HTTP::header X-Forwarded-For]}"

Is there some other way to achieve this?

BIG-IP
hsl
iRules
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Jan 29, 2020

    One example of how to configure this.

    1.- Configure iRule.

    when SERVER_CONNECTED {
    catch {
        set hsl [HSL::open -publisher /Common/HSL_PUB]
    }
    set timestamp  [clock clicks -milliseconds]
    set cs_client_ip [clientside {IP::remote_addr}]
    set cs_client_port [clientside {TCP::remote_port}]
    set cs_server_ip [clientside {IP::local_addr}]
    set cs_server_port [clientside {TCP::local_port}]
    set ss_client_ip [serverside {IP::local_addr}]
    set ss_client_port [serverside {TCP::local_port}]    
    set ss_server_ip [serverside {IP::remote_addr}]
    set ss_server_port [serverside {TCP::remote_port}]
 
    catch {
        HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}"
    }
}

    2.- Configure HSL_PUB

    sys log-config destination remote-high-speed-log HSL_SRV {
    pool-name P-WEB1_80
    protocol udp
}
sys log-config publisher HSL_PUB {
    destinations {
        HSL_SRV { }
    }
}

    3.- Apply iRule to the VS and generate traffic.

    ---

    After capturing traffic output, that's the result.

    13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis=
E....?@.....
.()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

    Let me know if this helps.

    KR,

    Dario.

6 Replies

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Jan 27, 2020

    Hello Akshay

    Sure, you can. Let try something like this:

    HSL::send $hsl "{\"TIMESTAMP\":\"[clock clicks -milliseconds]\",\"CLIENT\":\"$client_ip\", ... }"

    KR,

    Dario.

    • Akshay_SK's avatar
      Akshay_SK
      Icon for Nimbostratus rankNimbostratus
      Jan 29, 2020

      The first option doesn't seem to be working.

      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for Noctilucent rankNoctilucent
        Jan 29, 2020

        One example of how to configure this.

        1.- Configure iRule.

        when SERVER_CONNECTED {
    catch {
        set hsl [HSL::open -publisher /Common/HSL_PUB]
    }
    set timestamp  [clock clicks -milliseconds]
    set cs_client_ip [clientside {IP::remote_addr}]
    set cs_client_port [clientside {TCP::remote_port}]
    set cs_server_ip [clientside {IP::local_addr}]
    set cs_server_port [clientside {TCP::local_port}]
    set ss_client_ip [serverside {IP::local_addr}]
    set ss_client_port [serverside {TCP::local_port}]    
    set ss_server_ip [serverside {IP::remote_addr}]
    set ss_server_port [serverside {TCP::remote_port}]
 
    catch {
        HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}"
    }
}

        2.- Configure HSL_PUB

        sys log-config destination remote-high-speed-log HSL_SRV {
    pool-name P-WEB1_80
    protocol udp
}
sys log-config publisher HSL_PUB {
    destinations {
        HSL_SRV { }
    }
}

        3.- Apply iRule to the VS and generate traffic.

        ---

        After capturing traffic output, that's the result.

        13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis=
E....?@.....
.()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

        Let me know if this helps.

        KR,

        Dario.

      • Dario_Garrido's avatar
        Dario_Garrido
        Icon for Noctilucent rankNoctilucent
        Feb 17, 2020

        Glad to hear this.

         

        Please, don't forget to mark the answer as "the best".

         

        KR,

        Dario.