Send Attackers IP to another system via API

Aantat · ‎13-Jan-2023

Hi experts!

I'm newbie here and I need your help. I have a task to send Attackers IP to another system via API. For example I've a ASM and there are some triggered violation. I want to send that Attackers IP from that event to another system via API. Any thoughts on that? Is it possible to do?

JRahm · ‎13-Jan-2023

HI @Aantat, what kind of system is the other system, and did you want to manage those messages from a remote system (like pull on system C from system A, push from system C to system B) or just send messages directly from ASM to other systems? More details on what you're trying to accomplish would be helpful, but either way, there's likely a solution we can work out together. Let me know!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

Aantat · ‎14-Jan-2023

Hi @JRahm!

So I have a NGFW and F5 WAF. My goal is every time when there is some Security Event triggered, send Attackers IP from that Event to my NGFW via API. Hope I make it clear.

Nikoolayy1 · ‎14-Jan-2023

From what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.

Aantat · ‎16-Jan-2023

Hi @Nikoolayy1,

Agreed, But I'd like to reach my goal without another 3rd system. I thought about iRule, that will send via HTTP Post to my NGFW the information about attacker IP.

Nikoolayy1 · ‎16-Jan-2023

Then you will need to play with HTTP Super SIDEBAND Requestor (Client) https://clouddocs.f5.com/api/irules/SIDEBAND.html but I do not have a premade irule for you so you will need to write it and get the IP from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html event but this will be complex.

xuwen · ‎16-Jan-2023

send POST method should use the iRules sideband method. The difficulty is whether your server POST does not require username, password or Token authentication about F5?

firstly, F5 whether can ping NGFW and telnet NGFW 80(assume NGFW api service port is 80)?

secondly, if F5 can not telnet NGFW 80, F5 need to add network route to NGFW, make sure F5 can telnet NGFW 80

here is the code, NGFW(example NGFW ip is 10.0.0.10, api service port is 80) with no authentication for POST

when ASM_REQUEST_DONE priority 500 {
    set asm_ip [ASM::client_ip]
    set asm_json "\{\"Client_address\":$asm_ip\}"
    set content_length [string length $asm_json]
    set data "POST /sample/post/json HTTP/1.0\r\nHost: test.com\r\nContent-type: application/json\r\nContent-Length: ${content_length}\r\n\r\n${asm_json}"
    if { [catch {connect -time 1000 -idle 30 -status conn_status 10.0.0.10:80} conn_id] == 0 && $conn_id ne "" } {
        log local0. "Connect returns: $conn_id and conn status: $conn_status"
        set send_bytes [send -timeout 1000 -status send_status $conn_id $data]
        log local0. "Sent $send_bytes with status $send_status"
        close $conn_id
        return
    } else {
        log local0. "Connection could not be established to NGFW"
    }
}

Aantat · ‎17-Jan-2023

@xuwen, thanks! Thats brilliant! Yeah, you're right! Now i facing problem with authentication. Is it possible to:

1. Send first POST request with credentials.

2. Get cookies from response to first POST request.

3. Send second POST request with attacker IP in payload and cookies in headers?

Is it possible to do that in one iRule? Any suggestions?

xuwen · ‎17-Jan-2023

You'd better give the complete format of curl for calling the api twice, and show the response result of NGFW(curl -v http://xxxx)

Think of two methods. Write your own code to test it：

1. HTTP Super SIDEBAND Requesto

https://clouddocs.f5.com/api/irules/HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-C...

2. Use iRulesLx, node.js send http post api is definitely simpler and faster than tcl

Aantat · ‎20-Jan-2023

Hi @xuwen

Could you please share some iRulesLX codes with sending http post? Thanks in advance

Nikoolayy1 · ‎23-Jan-2023

@Aantat just a fast note the community is not F5 PS and you will need to do some coding. For example I googled F5 irules lx and I came up on this post and you could find others and use them for your usecase.

https://community.f5.com/t5/technical-forum/how-to-use-irule-or-irule-lx-to-call-external-soap-web-s...

xuwen · ‎23-Jan-2023

i agree with Nikoolayy1 "just a fast note the community is not F5 PS and you will need to do some coding"

use iRulesLX send twice https post, you can try the following ways:

1. google how to use node.js send https post

2. Find your programmer colleagues who can write node.js. This should be a very simple job for those who can write node.js

3. Seek customized iRules service from your F5 agent or F5 manufacturer, which may be charged

xuwen · ‎25-Jan-2023

Because you haven't given the complete format of the call api of curl - v and the http response header, the following code uses iRulesLX to send two https posts, which is equivalent to the effect of twice curl https formats:

1. curl -sku 'admin:xt32112300' -X POST https://www.test.com/auth/login

NGFW Cookie is in HTTP response header "Set-Cookie"

so, the next https post is bring cookie in http request header "Cookie"

2. curl -skv https://www.test.com/sample/post/json -X POST -H "Content-Type: application/json" -H "Cookie: XXXXX" -d '{"Client_address": "x.x.x.x"}'

iRules code:

when ASM_REQUEST_DONE priority 500 {
    set asmip [ASM::client_ip]
    set handle [ILX::init "ilxlab3_pl" "ilxlab3_ext"]
    if { [catch {ILX::call $handle jsonPost $asmip} result] } {
        # Error handling
        log local0.error  "Client - [IP::client_addr], ILX failure: $result"  
        return
    } else {
        # Log NGFW second https response body
        log local0. "result is $result"
        return
    }
}

iRulesLX code:

'use strict' // Just for best practices
// Import modules here
var f5 = require('f5-nodejs');
//var qs = require('querystring'); // Used for parsing the POST data querystring
const https = require('https');


// Create an ILX server instance
var ilx = new f5.ILXServer();

// This method will transform POST data into JSON
ilx.addMethod('jsonPost', function (req, res) {
  var options = {
    //hostname: '10.20.20.52',
    hostname: 'www.test.com',
    port: 443,
    path: '/auth/login',
    method: 'POST',
    auth: 'admin:xt32112300',
    rejectUnauthorized: false
  };

  var postclientip = req.params()[0];
  let httpBody = '';
  const req_post = https.request(options, (res1) => {
    console.log('statusCode:', res1.statusCode);
    console.log('header', res1.headers['set-cookie'])
    console.log(Array.isArray(res1.headers['set-cookie']))
    
    if (Array.isArray(res1.headers['set-cookie'])) {
        var ngfw_cookie = res1.headers['set-cookie']
        var post_asm_ip = postclientip
        var post_data = JSON.stringify({
            'Client_address': post_asm_ip
        });
        options.headers = {
            'Content-Type': 'application/json',
            'Content-Length': post_data.length,
            'Cookie': ngfw_cookie
        };
        options.path = '/sample/post/json';
        console.log(JSON.stringify(options));
        
        var post_req = https.request(options, (res2) => {
            res2.on('data', (d) => {
                process.stdout.write(d);
                httpBody += d;
            });
            res2.on('end', ()=> {
                console.log(`response data: ${httpBody}`); 
                res.reply(['successful', httpBody]);
            });
        });
        post_req.on('error', (e) => {
            console.log(e);
            res.reply('failed bring cookie post')
        });
        post_req.write(post_data);
        post_req.end();
        
    }});

  req_post.on('error', (e) => {
        console.error(e);
  });
  req_post.end();
  // Turn postData object into JSON and return to TCL
  
});

//Start the ILX server
ilx.listen();

DevCentral

Send Attackers IP to another system via API