How to add Syslog headers to Bot Defense logs over HSL? (Missing formatting options)
Hi DevCentral Community, I am running into issue with logging Bot Defense events to our SEIM (AIsaac) and could use some advice on best practices. We have logging profile configured to send both Application Security (ASM) and Bot Defense logs to a Remote Publisher. The Publisher is currently tied to a Remote HSL(High-Speed-Logging) destination. The Problem: For standard ASM WAF logs, we can easily format the log string directly in the GUI under the Applications Security logging tab. However, under the Bot Defense logging tab, there is no option to customize the log format. Because it is sending directly to a raw HSL destination, the Bot Defense logs are arriving at out SEIM completely stripped of standard Syslog headers. Without these headers, the SEIM cannot parse the logs correctly. My Questions: Is inserting a Syslog formatted destination before the HSL destination the official way to inject standard headers into Bot Defense logs? Is there any hidden tmsh command or iRule method to actually customize the Bot Defense log payload format, or is the payload structure strictly fixed by the system?
Create Domino LTPA token on F5 problem
Hi, I'm trying to use the code at http://per.lausten.dk/blog/2009/06/how-to-create-a-ltpa-session-cookie-for-lotus-domino-using-f5.html to create a Domino LTPA token but I am getting the following error showing on the Domino server: Token does not lead with 0 [Single Sign-On token is invalid]. The token should begin with the version number 0123 e.g. from the code set ltpa_version "\x00\x01\x02\x03" However, after decoding the token and then looking at it in a hex editor the version number shows as: C0 80 01 02 03 ....... Can somebody explain to me why the \x00 is being changed to C0 80 please? I've experimented putting other numbers in thefirst position to see what happens e.g. \x01\x01\x02\x03 and the hex readout looks correct i.e. 01 01 02 03. It only fails when I use a \x00 in the first position. Thanks for any suggestions. JeffF5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
Hey Everyone, The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x. I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue. I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me. This can be easily tested with the below irule that logs to /var/log/asm when ASM_REQUEST_DONE { log local3. "test request" } when ASM_RESPONSE_VIOLATION { log local3. "test response" } The custom response signature is in the policy to just trigger alarm. I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.
How to log HTTP/2 reset_stream
Hello, We are currently in a meeting to prepare for HTTP/2 DDoS attacks. What we would like to do is log the client’s IP address (either local or remote) whenever an HTTP/2 RESET_STREAM is received. Is there any way to achieve this? Would it be possible to implement using an iRule? Thank you.
IRule to block different combinations host/uri
hello together, we've got a VIP with a lot of CNAME's and a few login-URI's should be blocked, but not all. so in our Irule we have some Entries like: elseif { [HTTP::uri] starts_with "/presse/login"} { HTTP::respond 403 but now we need special Combinations of [HTTP::host][HTTP::uri] could you pls provide me some Example? I'm not sure if [HTTP::host] matches alo for HTTPS. Thank you Karl
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.MQTT Broker - logging irule
Hi i am trying to setup an MQTT LTM VS and running into a few issues, i was trying to use some of the sample irules to capture some more logging but can't quite figure out this one that should log the messages https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-iot-administration-13-0-0/1.html Common/irule_mqtt_loggging:14: error: [undefined procedure: MQTT::message_id][MQTT::message_id] /Common/irule_mqtt_loggging:26: error: ["The command does not expect argument."][MQTT::message topics qos $topic] i had thought that these were standard variables that could just be used...if anyone has managed to get this working any help would be apprecated thanks chrisiRule or Re-write Profile
I'm trying to work out how to do the following. I have an irule that is directing source traffic (based on IP) to a specific pool I have a rewrite policy > changing https://example.com to https://example.com/text this is all working The problem I have, is I'd like https://example.com to stay the same in the client's browser But after the client connects to the backend servers, they return a uri https://host1.com I'd like that to appear as https://example.com I looked at my rewrite policy and was thinking I could do a response This doesn't appear to work. Should I be using a single iRule to Replace the name (inbound) Direct to a pool Replace the name (outbound)
