Forum Discussion

Rozh's avatar
Rozh
Icon for Nimbostratus rankNimbostratus
Jul 22, 2020

DDOS attack event ID

Hello Guys.

Please Help me.

In our company,we have SIEM Private and I want to Create Dashbord to show the DDOS attack Family (syn flood,connection flood ,DNS query flood , ssl flood , ....).

In F5 Log reference which one event id show DDOS attack?

4 Replies

  • First, create a DoS protection profile using the desired thresholds, attack detection and mitigation methods and operation mode (blocking or transparent), and assign it to your virtual server. Then you will need to create a logging profile with DoS Protection enabled and then assign it to the VS also. DoS events will be listed as they are detected. Does this help?

    • Rozh's avatar
      Rozh
      Icon for Nimbostratus rankNimbostratus

      Thanks Erik .

      I know which One event causes DDOS attack, I also have Syslog of F5 and I receive on my SIEM. In fact I want to create a dashboard on the SIEM, now I need to know which One event id cause the DDOS trafic that by filtering On the received logs, I can reach my goal.

      i need log reference with event id.

  • OK--there is also Security > Reporting > DoS Dashboard which will show an "Attack ID" which might be what you're after, and also what triggered it--such as "Volumetric" in the case of DoS. For different granularity, go to Security > Event Logs > DoS > Application Events.  If you have a remote logging server, the Attack ID should be sent there as well. Check out this resource:

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/2.html

  • Rozh's avatar
    Rozh
    Icon for Nimbostratus rankNimbostratus

    Thanks Dear Erik .

    It was great, I got it Thanks a lot.

    🙏