CirrusHi experts!
I'm newbie here and I need your help. I have a task to send Attackers IP to another system via API. For example I've a ASM and there are some triggered violation. I want to send that Attackers IP from that event to another system via API. Any thoughts on that? Is it possible to do?
Cumulonimbussend POST method should use the iRules sideband method. The difficulty is whether your server POST does not require username, password or Token authentication about F5?
firstly, F5 whether can ping NGFW and telnet NGFW 80(assume NGFW api service port is 80)?
secondly, if F5 can not telnet NGFW 80, F5 need to add network route to NGFW, make sure F5 can telnet NGFW 80
here is the code, NGFW(example NGFW ip is 10.0.0.10, api service port is 80) with no authentication for POST
when ASM_REQUEST_DONE priority 500 {
set asm_ip [ASM::client_ip]
set asm_json "\{\"Client_address\":$asm_ip\}"
set content_length [string length $asm_json]
set data "POST /sample/post/json HTTP/1.0\r\nHost: test.com\r\nContent-type: application/json\r\nContent-Length: ${content_length}\r\n\r\n${asm_json}"
if { [catch {connect -time 1000 -idle 30 -status conn_status 10.0.0.10:80} conn_id] == 0 && $conn_id ne "" } {
log local0. "Connect returns: $conn_id and conn status: $conn_status"
set send_bytes [send -timeout 1000 -status send_status $conn_id $data]
log local0. "Sent $send_bytes with status $send_status"
close $conn_id
return
} else {
log local0. "Connection could not be established to NGFW"
}
}
Cirrusxuwen, thanks! Thats brilliant! Yeah, you're right! Now i facing problem with authentication. Is it possible to:
1. Send first POST request with credentials.
2. Get cookies from response to first POST request.
3. Send second POST request with attacker IP in payload and cookies in headers?
Is it possible to do that in one iRule? Any suggestions?
CumulonimbusYou'd better give the complete format of curl for calling the api twice, and show the response result of NGFW(curl -v http://xxxx)
Think of two methods. Write your own code to test it:
1. HTTP Super SIDEBAND Requesto
2. Use iRulesLx, node.js send http post api is definitely simpler and faster than tcl
CumulonimbusBecause you haven't given the complete format of the call api of curl - v and the http response header, the following code uses iRulesLX to send two https posts, which is equivalent to the effect of twice curl https formats:
1. curl -sku 'admin:xt32112300' -X POST https://www.test.com/auth/login
NGFW Cookie is in HTTP response header "Set-Cookie"
so, the next https post is bring cookie in http request header "Cookie"
2. curl -skv https://www.test.com/sample/post/json -X POST -H "Content-Type: application/json" -H "Cookie: XXXXX" -d '{"Client_address": "x.x.x.x"}'
iRules code:
when ASM_REQUEST_DONE priority 500 {
set asmip [ASM::client_ip]
set handle [ILX::init "ilxlab3_pl" "ilxlab3_ext"]
if { [catch {ILX::call $handle jsonPost $asmip} result] } {
# Error handling
log local0.error "Client - [IP::client_addr], ILX failure: $result"
return
} else {
# Log NGFW second https response body
log local0. "result is $result"
return
}
}
iRulesLX code:
'use strict' // Just for best practices
// Import modules here
var f5 = require('f5-nodejs');
//var qs = require('querystring'); // Used for parsing the POST data querystring
const https = require('https');
// Create an ILX server instance
var ilx = new f5.ILXServer();
// This method will transform POST data into JSON
ilx.addMethod('jsonPost', function (req, res) {
var options = {
//hostname: '10.20.20.52',
hostname: 'www.test.com',
port: 443,
path: '/auth/login',
method: 'POST',
auth: 'admin:xt32112300',
rejectUnauthorized: false
};
var postclientip = req.params()[0];
let httpBody = '';
const req_post = https.request(options, (res1) => {
console.log('statusCode:', res1.statusCode);
console.log('header', res1.headers['set-cookie'])
console.log(Array.isArray(res1.headers['set-cookie']))
if (Array.isArray(res1.headers['set-cookie'])) {
var ngfw_cookie = res1.headers['set-cookie']
var post_asm_ip = postclientip
var post_data = JSON.stringify({
'Client_address': post_asm_ip
});
options.headers = {
'Content-Type': 'application/json',
'Content-Length': post_data.length,
'Cookie': ngfw_cookie
};
options.path = '/sample/post/json';
console.log(JSON.stringify(options));
var post_req = https.request(options, (res2) => {
res2.on('data', (d) => {
process.stdout.write(d);
httpBody += d;
});
res2.on('end', ()=> {
console.log(`response data: ${httpBody}`);
res.reply(['successful', httpBody]);
});
});
post_req.on('error', (e) => {
console.log(e);
res.reply('failed bring cookie post')
});
post_req.write(post_data);
post_req.end();
}});
req_post.on('error', (e) => {
console.error(e);
});
req_post.end();
// Turn postData object into JSON and return to TCL
});
//Start the ILX server
ilx.listen();
AdminHI Aantat, what kind of system is the other system, and did you want to manage those messages from a remote system (like pull on system C from system A, push from system C to system B) or just send messages directly from ASM to other systems? More details on what you're trying to accomplish would be helpful, but either way, there's likely a solution we can work out together. Let me know!
MVPFrom what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.