API feed for WAF Attack Signatures
Hi again! This is my 3rd question post today and I'll try to make it my last for today. 😄 I'm a project manager responsible for our WAF implementation and I'm more involved in WAF care and feeding than a project manager should be. Is there an API feed available for WAF attack signatures both current and staged? Our WAF logs are fed into Splunk and Oracle. In Splunk, I built an Excel spreadsheet that I use as a lookup table that has current and staged attack signatures. I had help pulling the JSON feed from the F5 attack signatures database. I have to manually add to this file as I suspect our logging activity is causing additional characters such as percent signs to show up in the sig_ids field for my Splunk reports. As mentioned in one of my other posts, my manager wants to move over to an Apex application that one of the application developers on our WAF team has been building. The goal is to allow our business owners to authenticate and view WAF related reports that we develop for their organization. If we move to Apex, this renders the Splunk lookup table I've built and maintain useless, thus, I'm on a hunt for an API. If anyone has suggestions for staged attack signature management, I'll take those as well. I was told that I should monitor them which I am but our tuning and remediation processes are so tedious that I'm not sure how to work in yet another meeting to review and discuss staged attack signatures. 😒 Thank you! Jodi5Views0likes0CommentsReliable resources for identifying IP addresses
Hello! I'm a project manager responsible for the WAF implementation in my organization. Aside from overseeing the implementation, I'm in the trenches, so to speak, with the everyday care and feeding of WAF which is likely unusual for a project manager. 😃 Our systems administrators have setup our WAF logs so that they are logged in Splunk and Oracle. I have created numerous reports, dashboards, and alerts that Splunk uses against a lookup table that I built to identify the IP address owners. This manually built and maintained by myself in Excel and was started with IP records provided by two of our business owners for educational institutions that use their services. The Excel spreadsheet is over 100K lines and I lookup IPs using ARIN as part of growing this IP table. This is cumbersome to say the least. My manager wants to move more of our WAF reporting to an Apex tool that one of our application developers built. This renders my Splunk lookup table useless. What resources are others in the community using to identify IP addresses? The application developer responsible for the Apex application would like something available via API. I began the effort to identify IP addresses to help with our tuning and remediation efforts. We look more kindly upon infractions from an educational institutions than traffic from a bot source. We will do post production tuning against a policy if one of our business owners reports a block on behalf of an end user. The IP identification helps with this process. Our WAF administrator is extremely cautious which I respect because we need to protect our infrastructure but our processes for remediation and tuning are quite tedious. Thank you in advance for any resources you can provide! Jodi8Views0likes0CommentsWAF Organizational Processes
Hello! I'm a project manager responsible for our WAF implementation and likely more engaged in WAF care and feeding that most project managers. 😀 I'd like to understand from others their WAF organizational processes with the goal of improving ours. I'm responsible for hosting a weekly WAF tuning meeting. Our WAF admin pulls data from our Splunk logs and brings up samples for policies that we've not yet put into production mode. Our WAF admin wants our two application developers on our WAF team to say "yea" or "nay" for each sample to be tuned. This is incredibly tedious but our hope is to reduce false positives. How do other orgs handle pre-production tuning? We have a similar process if a production deployed policy receives a block. Our business owner for the application opens a ticket for their end user. Since I'm not allowed access to F5 WAF, I use the support ID to look up the WAF report in an Apex application one of our developers wrote. I provide this report to our WAF admin who waits for one of our WAF team app devs to say "yea" or "nay" on whether it's legit traffic. If it's legit, he tunes the policy but sometimes still with apprehension. This results in either my needing to schedule a special meeting with our WAF team (includes me, 2 apps devs, WAF admin, sys admin manager, my manager, and 1-2 reps from security) or taking time in a tuning meeting to review the tuning adjustment that was made and get a ruling on whether it it's too risky to keep in place or it's safe to remain. How do your organizations handle reports of blocks from your business owners and their end users? I truly feel we can and should improve so I'm eager to hear what others in the community are doing. Thank you! Jodi6Views0likes0CommentsCan iRule be used to perform exception of IPI category based on Geolocation
Hi Everyone, Can we configure iRule to perform exception on certain IPI category like "Spam Sources" based on Geolocation. For instance, I want to bypass the mitigation enforced on "Spam Sources" IP intelligence category for "Nepal" -Geolocation specific because of the large false positives on this category. I found the iRules to enforce the mitigation based on the defined IPI category: when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content "<HTML><HEAD><TITLE>Rejected Request</TITLE> </HEAD><BODY>The request was rejected. <BR> Attempted access from malicious IP address</BODY></HTML>" } } https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/enabling-ip-address-intelligence.html56Views1like4CommentsMonitor string query
Hello, I am trying to set up a monitor for a pool with the config below, but I get invalid json message when trying to deploy via AS3 Monitor SEND String: GET /gateway/ping HTTP/1.1\r\nHost: <Domain-Name>\r\nConnection: Close\r\n\r\n Monitor RECEIVE String: HTTP/1\.(0|1) 200 Invalid JSON! Error: Parse error on line 274: ...n", "receive": "HTTP/1\.(0|1) 200" ----------------------^ Expecting 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '[', got 'undefined'Solved5Views0likes1CommentTelemetry streaming to Elasticsearch
Hi all I am following a couple of threads since I want to send ASM logging to Elasticsearch like this one fromGreg What I understand is that I need to send an AS3 declaration and a TS declaration. But there are a couple of things not entirely clear to me. 1. Can I remove the iRule, Service_TCP, Pool, Log_Destination, Log_Publisher and Traffic_Log_profile declarations from the AS3 declaration json? In the example the telemetry_asm_security_log_profile does not seem to depend on these? 2. In the AS declaration json an IP address is specified 255.255.255.254 (perhaps just an example since it is a subnet mask) and also in the TS declaration where it is 172.16.60.194. How are the IP in the servers section of the AS3 declaration related to the one in the consumer part in the TS declaration? 3. Intelemetry_asm_security_log_profile the field remoteStorage is set to splunk. According to the reference guide:Reference Guide security-log-profile-application-objectthe allowed values are “remote”, “splunk”, “arcsight”, “bigiq”. I would opt for just remote. Is that the correct choice? Regards Hans508Views0likes8CommentsASM Policy in "Blocking" Mode switch to "Transparent" for some IP's
I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent. I need to keep the same policy so that I can "proof" that everything is running fine. Is there a method to do that ? Was thinking about an iRule but dont know how. I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions. Bye St.389Views0likes6CommentsF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see that the F5 ASM has correlation logs that trigger incidents but there is not a lot info if this can be used in iRules or to block user ip addresses / deviceid. https://support.f5.com/csp/article/K92532922Solved1.5KViews1like7Comments