Is there a way for the F5 AFM Protocol Inspection signature match to automatically do pcap capture?

Question

Hello,
&nbsp;
Is there a way for the F5 AFM Protocol Inspection signature match to automatically do tcpdump pcap capture and save it to a file? The idea is when a signature is triggered by the IPS to to capture the bad packet if it is a false positive, so it can be reviewed.

nikoolayy1 · Accepted Answer

Hello, As for now in the security logging profile there seems to be a tab called " log packet payload" for the Protocol Inspection logging that should do the job 🙂 The only issue is that the payload that triggered the violation is saved as hex but a converter solves this this issue.

greasy_pretzel · Answer

As the payload may be large or there would be a large number of logs generated, it would be better to send the logs to a remote logging server.

Forum Discussion

Is there a way for the F5 AFM Protocol Inspection signature match to automatically do pcap capture?

2 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

Decrypting BIG-IP Packet Captures Automatically

Converting a Snort Rule to an AFM Protocol Inspection Custom Signature

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks