Manual Chapter : Event Messages and Attack Types

Applies To:

Show Versions

BIG-IP APM

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

Event Messages and Attack Types

Fields in ASM Violations event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type	Example value	Description
unit_hostname (string)	bigip-4.pme-ds.f5.com	BIG-IP system FQDN
management_ip_address (IP address)	192.168.1.246	BIG-IP system management IP address
http_class_name (string)	/Common/topaz4-web4	HTTP policy name
policy_name (string)	My security policy	Name of the security policy reporting the violation
violations (string)	Attack signature detected	Violation name
support_id (non-negative integer)	18205860747014045721	Internally-generated integer to assist with client access support
request_status (string)	Blocked	Action applied to the client request
response_code (non-negative integer)	200	The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked.
ip_client (IP address)	192.168.5.10	Client source IP address
route_domain (non-negative integer)	0 (zero)	Route domain number
method (string)	GET	HTTP method requested by client
protocol (string)	HTTP, HTTPS	Protocol name
query_string (string)	key1=val1&key2=val2	Query sent by client; query appears in the first line of the HTTP request after the path and the question mark (?)
x_forwarded_for_header_value (string)	192.168.5.10	Value of the XFF HTTP header
sig_ids (positive non-zero integer)	200021069	Signature ID number
sig_names (string)	Automated client access %22wget%22	Signature name
date_time (string)	2012-09-19 13:52:29	Data and time in the format: YYYY-MM-DD HH:MM:SS
severity (string)	Error	Severity category to which the event belongs
attack_type (string)	Non-browser client	Name of identified attack
geo_location (string)	USA/NY	Country/city location information
ip_address_intelligence (string)	Botnets, Scanners	List of IP intelligence categories found for an IP address
username (string)	Admin	User name for client session
session_id (hexadeicmal number)	a9141b68ac7b4958	TCP session ID
src_port (non-negative integer)	52974	Client protocol source port
dest_port (non-negative integer)	80	Requested service listening port number
dest_ip (IP address)	192.168.5.11	Requested service IP address
sub_violations (string)	Bad HTTP version, Null in request	Comma-separated list of sub-violation strings
virus_name (string)	Melissa	Virus name
uri (string)	/	URI requested by client
request (string)	GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: /\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n	Request string sent by client
headers	Host: myhost.com; Connection: close	Found in request logs
response	HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/>	HTTP response from server when response logging is configured
violation_details (string)	<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>65536</http_sanity_checks_status><http_sub_violation_status>65536</http_sub_violation_status><http_sub_violation>SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA==</http_sub_violation></violation></request-violations></BAD_MSG>	Extended information about a violation on a transaction

ASM Violations example events

This list contains examples of events you might find in ASM logs.

Examples of ASM log messages in the ArcSight CEF format

<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com 
ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2|
dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4
cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name
deviceCustomDate1=Sep 19 2012 11:38:36 
deviceCustomDate1Label=policy_apply_date
externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code
src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP 
cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 
deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A 
cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= 
c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A 
c6a4Label=ip_address_intelligence msg=N/A
suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request 
cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: 
*/*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n

<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com
ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access
"wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4
cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name
deviceCustomDate1=Sep 19 2012 13:49:25 
deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 
act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 
dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A 
cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 
deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A 
cs6Label=geo_location c6a1= c6a1Label=device_address 
c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address 
c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A
suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET /
HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost:
10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n

Example of ASM log message in the Remote Server format

<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"",
"2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4"
"N/A","10.4.1.101","10.4.1.101%0","172.16.73.34","GET",
"2012-09-19 11:38:36","topaz4-web4","HTTP","",
"GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 
10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed",
"Response logging disabled","200","0","7514e0ee8f0eb493","Informational",
"","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A",
"<?xml version='1.0' encoding='UTF-8'?><BAD_MSG>
<request-violations><violation><viol_index>42</viol_index>
<viol_name>VIOL_ATTACK_SIGNATURE</viol_name>
<context>request</context><sig_data>
<sig_id>200021069</sig_id><blocking_mask>4</blocking_mask>
<kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn
;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29
ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer>
<offset>0</offset><length>16</length></kw_data>
</sig_data></violation></request-violations>
</BAD_MSG>","","N/A","N/A"

Example of ASM log message in the Remote Syslog format

23003140

Examples of ASM log messages in the Reporting Server format

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
violations="",support_id="18205860747014045701",request_status="passed",
response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="",sig_names="",date_time="2012-09-19 13:40:26",
severity="Informational",attack_type="",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",
session_id="98630496c8413322",src_port="52964",dest_port="80",
dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/",
request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: 
*/*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
violations="",support_id="18205860747014045701",request_status="passed",
response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="",sig_names="",date_time="2012-09-19 13:40:26",
severity="Informational",attack_type="",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 
(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: 
Keep-Alive\r\n\r\n"

<131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25",
violations="Attack signature detected",support_id="18205860747014045721",
request_status="blocked",response_code="0",ip_client="10.4.1.101",
route_domain="0",method="GET",protocol="HTTP",query_string="",
x_forwarded_for_header_value="N/A",sig_ids="200021069",
sig_names="Automated client access %22wget%22",
date_time="2012-09-19 13:52:29",severity="Error",
attack_type="Non-browser Client",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958",
src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 
(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: 
Keep-Alive\r\n\r\n"

Fields in ASM Brute Force and Web Scraping event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in alphabetical order by field name.

Field name and type	Example value	Description
act (string)	Alerted or Blocked	Action taken in response to attack
anomaly_attack_type (string)	DoS attack or Brute Force attack	Type of attack
attack_id (integer)	12345678	Unique identifier of an attack
attack_status (string)	Started, Ended, or Ongoing	Status of an attack
current_mitigation (string)	Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent	How the attack is being mitigated
date_time (string)	2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50	Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
detection_average (integer)	400	Historical average of TPS, latency, or failed logins
detection_mode (string)	For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased	How the attack was detected
dropped_requests (integer)	10000	Number of dropped requests
dvc (IP address)	192.168.1.246	BIG-IP system management IP address
dvchost (string)	bigip-4.asm-ds.f5.com	BIG-IP system host name
geo_location (string)	USA/NY	Country/city location information
ip_list (IP addresses)	192.168.5.10:ny, ny, usa:150	Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter
management_ip_address (IP address)	192.168.1.246	BIG-IP system management IP address
operation_mode (string)	Transparent or Blocking	Current operation mode in the security policy
policy_apply_date	2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50	The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
policy_name (string)	My policy	Name of current active policy reporting the violation
request (URL)	www.siterequest.com	Login URL attacked by Brute Force attack
rt (string)	Nov 07 2012 06:53:50	Current date and time in the format: MMM DD YYYY HH:MM:SS
severity (string)	Emergency	Severity category for attacks is always: Emergency
source_ip (IP address)	192.168.4.1:ny, ny, usa:150000	IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter
src (IP address)	192.168.4.1	IP address from which the attack originates
unit_hostname (string)	bigip-4.asm-ds.f5.com	BIG-IP system FQDN
uri (string)	/	Login URL that was subject to a Brute Force attack
url_list (URLs)	192.168.50.1:sf, ca, usa:200	Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter
violation_counter (integer)	100	Number of violations
web_application_name	My PTO	Name of the web application in which the violation occurred

ASM Anomaly example events

This list contains examples of events you might find in ASM logs.

Example of ASM Anomaly log messages in the ArcSight CEF format
CEF:0 \|F5\|%s\|%s\|%s\|%s\|%d\| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests
CEF:0 \|F5\|%s\|%s\|%s\|%s\|%d\| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s
CEF:0 \|F5\|%s\|%s\|%s\|%s\|%d\| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter

Example of ASM Anomaly log messages in the Reporting Server format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s"
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s"

Example of ASM Anomaly log message in the Web Scraping format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s"

Fields in AFM event messages

This table lists the fields that are contained in event messages that might display in AFM logs. The fields are listed in alphabetical order by field name.

Field name and type	Example value	Description
acl_rule_name (string)	Non-browser client	Name of ACL rule
action (string)	Accept, Accept decisively, Drop, Reject, Established, Closed	Action performed
hostname (string)	FQDN	BIG-IP system FQDN
bigip_mgmt_ip (IP address)	192.168.1.246	BIG-IP system management IP address
context_name (string)	/Common/topaz3-web3	Name of the object to which the rule applies
context_type (string)	Global, Route Domain, Virtual Server, Self IP address, or Management port	Category of the object to which the rule applies
date_time (string)	01 11 2012 13:11:10	Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address)	192.168.3.1	Destination IP address
dest_port (integer)	80	Protocol port number
device_product (string)	Advanced Firewall Module	Name of BIG-IP system generating the event message
device_vendor (string)	F5	F5 static keyword
device_version (string)	11.3.0.2012.0	BIG-IP system software version in the format version.point_release.0.yyyy.0
drop_reason (string)	(empty), <name of error>, Policy	Reason action performed.
errdefs_msgno (integer)	23003137	Event number
errdefs_msg_name (string)	Network event	Event name
ip_protocol (string)	TCP, UDP, ICMP	Name of protocol
severity (integer)	8	Level of the event by number
partition_name (string)	Common	Name of the partition or folder in which the object resides
route_domain (integer)	1	Route domain number (non-negative)
src_ip (IP address)	192.168.3.1	Source IP address
src_port (integer)	80	Protocol port number (non-negative)
vlan (string)	External	VLAN interface name

AFM example events

This list contains examples of events you might find in AFM logs.

Examples of AFM log messages in the ArcSight CEF format
CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2095.0\|23003137\|Network Event\|8\|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name
CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2095.0\|23003137\|Network Event\|8\|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2095.0\|23003137\|Network Event\|8\|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2790.300\|23003137\|Network Event\|8\|rt=Nov 08 2012 18:35:15 dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name

Examples of AFM log messages in the Reporting Server format
acl_rule_name="allow_http",action="Accept",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-web3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="52807",vlan="/Common/external"
acl_rule_name="",action="Open",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"
acl_rule_name="",action="Closed",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"

Examples of AFM log messages in the Splunk format
acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"

Examples of AFM log messages in the Splunk format

acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"

acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"

Example of AFM log message in the Syslog format
23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"

Example of AFM log message in the Syslog format

23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""

23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"

Example of AFM log message in the Syslog BSD format
23003137 "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"

Example of AFM log message in the Syslog Legacy F5 format
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp,Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external

Fields in Network DoS Protection event messages

This table lists the fields that are contained in event messages that might display in the DoS Protection logs. The fields are listed in alphabetical order by field name.

Field name and type	Example value	Description
action (string)	Allow, Drop, None	Action performed or reported
hostname (string)	FQDN	BIG-IP system FQDN
bigip_mgmt_ip (IP address)	192.168.1.246	BIG-IP system management IP address
date_time (string)	01 11 2012 13:11:10	Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address)	192.168.3.1	Destination IP address
dest_port (integer)	80	Protocol port number (non-negative)
device_product (string)	Advanced Firewall Module	Name of BIG-IP system generating the event message
device_vendor (string)	F5	F5 static keyword
device_version (string)	11.3.0.2012.0	BIG-IP system software version in the format mm.dd.0.yyyy.0
dos_attack_event (string)	Attack started, Attack Sampled, Attack Stopped	Attack instances start and stop events
dos_attack_id (string)	2760296639	Unique, non-negative, attack ID
dos_attack_name (string)	ICMP Flood, Bad TCP checksum	Network DoS event
errdefs_msgno (integer)	23003138	Static number
errdefs_msg_name (string)	Network DoS event	Static keyword
severity (integer)	8	Event severity value (non-negative integer)
partition_name (string)	Common	Name of the partition in which the virtual server resides
route_domain (integer)	1	Route domain number (non-negative)
src_ip (IP address)	192.168.3.1	Source IP address
src_port (integer)	80	Protocol port number (non-negative)
vlan (string)	External	Name of the VLAN interface

Device DoS attack types

The following tables, organized by DoS category, list device DoS attacks, and provide a short description and relevant information. You can adjust the thresholds in device protection by clicking the attack types and adjusting the properties.

Network attack types

Vector	Information	Hardware accelerated
ARP Flood	ARP packet flood	Yes
Bad ICMP Checksum	An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet.	Yes
Bad ICMP Frame	The ICMP frame is either the wrong size or not one of the valid IPv4 or IPv6 types. Valid IPv4 types: 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect 8 Echo 11 Time Exceeded 12 Parameter Problem 13 Timestamp 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply Valid IPv6 types: 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded 4 Parameter Problem 128 Echo Request 129 Echo Reply 130 Membership Query 131 Membership Report 132 Membership Reduction	Yes
Bad IGMP Frame	IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad.	Yes
Bad IP TTL Value	Time-to-live equals zero for an IPv4 address.	Yes
Bad IP Version	The IPv4 address version in the IP header is not 4.	Yes
Bad IPv6 Addr	IPv6 source IP = 0xff00::	Yes
Bad IPV6 Hop Count	Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad.	Yes
Bad IPV6 Version	The IPv6 address version in the IP header is not 6.	Yes
Bad SCTP Checksum	Bad SCTP packet checksum.	No
Bad Source	The IPv4 source IP = 255.255.255.255 or 0xe0000000U .	Yes
Bad TCP Checksum	The TCP checksum does not match.	Yes
Bad TCP Flags (All Cleared)	Bad TCP flags (all cleared and SEQ#=0).	Yes
Bad TCP Flags (All Flags Set)	Bad TCP flags (all flags set).	Yes
Bad UDP Checksum	The UDP checksum is not correct.	Yes
Bad UDP Header (UDP Length > IP Length or L2 Length)	UDP length is greater than IP length or Layer 2 length.	Yes
Ethernet MAC Source Address == Destination Address	Ethernet MAC source address equals the destination address.	Yes
FIN Only Set	Bad TCP flags (only FIN is set).	Yes
Header Length > L2 Length	No room in Layer 2 packet for IP header (including options) for IPv4 address	Yes
Header Length Too Short	IPv4 header length is less than 20 bytes.	Yes
Host Unreachable	Host unreachable error	Yes
ICMP Fragment	ICMP fragment flood	Yes
ICMP Frame Too Large	The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh : modify sys db dos.maxicmpframesize value , where value is <= 65515 .	Yes
ICMPv4 Flood	Flood with ICMPv4 packets	Yes
ICMPv6 Flood	Flood with ICMPv6 packets	Yes
IGMP Flood	Flood with IGMP packets (IPv4 packets with IP protocol number 2)	Yes
IGMP Fragment Flood	Fragmented packet flood with IGMP protocol	Yes
IP Error Checksum	The header checksum is not correct.	Yes
IP Fragment Error	Other IPv4 fragment error	Yes
IP Fragment Flood	Fragmented packet flood with IPv4	Yes
IP Fragment Overlap	IPv4 overlapping fragment error	No
IP Fragment Too Small	IPv4 short fragment error	Yes
IP Length > L2 Length	The total length in the IPv4 address header or payload length in the IPv6 address header is greater than the Layer 3 length in a Layer 2 packet.	Yes
IP Option Frames	IPv4 address packets that are part of an IP option frame flood. On the command line, option.db variable tm.acceptipsourceroute must be enabled to receive IP options.	Yes
IP Option Illegal Length	Option present with illegal length.	No
IP uncommon proto	Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list.	Yes
IP Unknown protocol	Unknown IP protocol	No
IPv4 mapped IPv6	The IPv6 stack is receiving IPv4 address packets.	Yes
IPV6 Atomic Fragment	IPv6 Frag header present with M=0 and FragOffset =0.	Yes
IPv6 duplicate extension headers	An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header.	Yes
IPv6 Extended Header Frames	IPv6 address contains extended header frames.	Yes
IPv6 extended headers wrong order	Extension headers in the IPv6 header are in the wrong order.	Yes
IPv6 extension header too large	An extension header is too large. To tune this value, in tmsh : modify sys db dos.maxipv6extsize value , where value is 0-1024 .	Yes
IPv6 Fragment Error	Other IPv6 fragment error	Yes
IPv6 Fragment Flood	Fragmented packet flood with IPv6	Yes
IPv6 Fragment Overlap	IPv6 overlapping fragment error	No
IPv6 Fragment Too Small	IPv6 short fragment error	Yes
IPv6 hop count <= <tunable>	The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh : modify sys db dos.ipv6lowhopcnt value , where value is 1-4 .	Yes
IPv6 Length > L2 Length	IPv6 address length is greater than the Layer 2 length.	Yes
L2 Length >> IP Length	Layer 2 packet length is much greater than the payload length in an IPv4 address header, and the Layer 2 length is greater than the minimum packet size.	Yes
LAND Attack	Source IP equals destination IP address	Yes
No L4	No Layer 4 payload for IPv4 address.	Yes
No L4 (Extended Headers Go To Or Past End of Frame)	Extended headers go to the end or past the end of the L4 frame.	Yes
No Listener Match	This can occur if the listener is down as it attempts to make a connection, or if it was not started or was configured improperly. It may also be caused by a network connectivity problem.
Non TCP Connection	Sets a connection rate limit for non-TCP flows that takes into account all other connections per second.
Option Present With Illegal Length	Packets contain an option with an illegal length.	Yes
Payload Length < L2 Length	Specified IPv6 payload length is less than the L2 packet length.	Yes
Routing Header Type 0	Identifies flood packets containing type 0 routing headers, which can be used to amplify traffic to initiate a DoS attack.	Yes
Single Endpoint Flood	Flood to a single endpoint and can come from many sources. You can configure packet types to check for, and packets per second for both detection and rate limiting.	No
Single Endpoint Sweep	Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting.	No
SYN && FIN Set	Bad TCP flags (SYN and FIN set).	Yes
TCP BADACK Flood	TCP ACK packet flood	No
TCP Flags - Bad URG	Packet contains a bad URG flag; this is likely malicious.	Yes
TCP Half Open	TCP connection whose state is out of synchronization between the two communicating hosts	Yes
TCP Header Length > L2 Length	The TCP header length exceeds the Layer 2 length.	Yes
TCP Header Length Too Short (Length < 5)	The Data Offset value in the TCP header is less than five 32-bit words.	Yes
TCP Option Overruns TCP Header	The TCP option bits overrun the TCP header.	Yes
TCP PUSH Flood	TCP PUSH flood	Yes
TCP RST Flood	TCP RST flood	Yes
TCP SYN ACK Flood	TCP SYN/ACK flood	Yes
TCP SYN Flood	TCP SYN flood	Yes
TCP SYN Oversize	Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value in tmsh: modify sys db dos.maxsynsize value . The default size in bytes is 64 and the maximum allowable value is 9216 .	Yes
TCP Window Size	The TCP window size in packets is above the maximum size. To tune this value in tmsh: modify sys db dos.tcplowwindowsize value where `value` is <= 128 .	Yes
TIDCMP	ICMP source quench attack	Yes
Too Many Extension Headers	For an IPv6 address, there are too many extended headers (the default is 4 ). To tune this value in tmsh : modify sys db dos.maxipv6exthdrs value , where value is 0-15 .	Yes
TTL <= <tunable>	An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh : modify sys db dos.iplowttl value , where value is 1-4 .	Yes
UDP Flood	UDP flood attack	Yes
Unknown Option Type	Unknown IP option type.	No
Unknown TCP Option Type	Unknown TCP option type.	Yes

DNS attack vectors

Vector	Information	Hardware accelerated
DNS A Query	UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS AAAA Query	UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS AXFR Query	UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS Any Query	UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS CNAME Query	UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS IXFR Query	UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS MX Query	UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS Malformed	Malformed DNS packet	Yes
DNS NS Query	UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS NXDOMAIN Query	DNS query. Queried domain name does not exist.	Yes
DNS OTHER Query	UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS Oversize	Detects oversized DNS headers. To tune this value, in tmsh : modify sys db dos.maxdnssize value , where value is 256-8192 .	Yes
DNS PTR Query	UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS Question Items != 1	DNS Query, DNS Qtype is ANY_QRY, the DNS query has more than one question.	Yes
DNS Response Flood	UDP DNS Port= 53 , packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS SOA Query	UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS SRV Query	UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes
DNS TXT Query	UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh : modify sys db dos.dnsvlan value , where value is 0-4094 .	Yes

SIP attack vectors

Vector	Information	Hardware accelerated
SIP ACK Method	SIP ACK packets	Yes
SIP BYE Method	SIP BYE packets	Yes
SIP CANCEL Method	SIP CANCEL packets	Yes
SIP INVITE Method	SIP INVITE packets	Yes
SIP Malformed	Malformed SIP packets	Yes
SIP MESSAGE Method	SIP MESSAGE packets	Yes
SIP NOTIFY Method	SIP NOTIFY packets	Yes
SIP OPTIONS Method	SIP NOTIFY packets	Yes
SIP OTHER Method	Other SIP method packets	Yes
SIP PRACK Method	SIP PRACK packets	Yes
SIP PUBLISH Method	SIP PUBLISH packets	Yes
SIP REGISTER Method	SIP REGISTER packets	Yes
SIP SUBSCRIBE Method	SIP SUBSCRIBE packets	Yes
SIP URI Limit	The SIP URI exceeds the limit.	Yes

Network DoS Protection example events

This list contains examples of events you might find in Network (layer 2 - 4) DoS Protection logs.

Example of Network DOS Protection log message in the ArcSight format
CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2790.300\|Bad TCP checksum\|Drop\|8\|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address

Example of Network DOS Protection log message in the ArcSight format

CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address

Example of Network DoS Protection log message in the Remote Syslog format
"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.example.com","","10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad TCP checksum","3044184075","Attack Sampled","Drop"

Examples of Network DoS Protection log messages in Reporting Server format
Oct 30 13:59:38 192.168.57.163 action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan=""
Oct 30 13:59:38 192.168.57.163 action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external"

Examples of Network DoS Protection log messages in Reporting Server format

Oct 30 13:59:38 192.168.57.163 action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan=""

Oct 30 13:59:38 192.168.57.163 action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external"

Example of Network DoS Protection log message in the Splunk format
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="192.168.32.22%0"
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="/short.txt",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip=""
action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",dos_attack_event="Attack Sampled",dos_attack_id="3083822789",dos_attack_name="Bad TCP checksum",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"

Example of Network DoS Protection log message in the Syslog format
23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Example of Network DoS Protection log message in the Syslog format

23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Example of Network DoS Protection log message in the Syslog F5 format
23003138 "Nov 08 2012 18:23:14","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Fields in Protocol Security event messages

This table lists the fields that are contained in event messages that might display in the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type	Example value	Description
date_time (string)	110513:11:10	Date and time the event occurred in this format: MMM DD HH:MM:SS
hostname (string)	bigip-4.pme-ds.f5.com	BIG-IP system FQDN
PSM: (string)	PME:keword	Static value keyword
protocol (string)	FTP, SMPTP, HTTP, DNS	Protocol name
ip_client (IP address)	192.168.5.10	Client source IP address
dest_ip (IP address)	192.168.3.1	Destination IP address
vs_name (string)	Common/my_vs	Reporting virtual server name and partition
policy_name (string)	My security policy	Name of the security policy reporting the violatio
violations (string)	Active mode	Violation name
virus_name (string)	<name of virus>	Virus name
management_ip_address (IP address)	192.168.1.246	BIG-IP system management IP address
unit_hostname (string)	bigip-4.pme-ds.f5.com	BIG-IP system FQDN
request_status (string)	Blocked	Action applied to the client request
dest_port (integer)	80	Protocol port number (non-negative)
src_port (integer)	80	Protocol port number (non-negative)
route_domain (integer)	1	Route domain number (non-negative)
geo_location (string)	NY, NY, USA	City, state, country location information
violation_details (string)	port/sendport 10,3,0,33,42,88	Violation description and the values passed

Protocol Security example events

This list contains examples of events you might find in the Protocol Security logs.

Example of Protocol Security log message in the ArcSight format
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0\|F5\|PSM\|11.3.0\|Active mode\|Active mode\|5\|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0\|F5\|PSM\|11.3.0\|FTP commands\|FTP commands\|5\|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A
Oct 5 11:49:23 bigip-3.pme-ds.f5.com PSM:CEF:0\|F5\|PSM\|11.3.0\|FTP commands\|FTP commands\|5\|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details msg=N/A

Example of Protocol Security log message in the Remote Server format
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="port/sendport 10,3,0,33,42,88"
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="list/dir/mdir"
Oct 5 11:55:23 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="pwd"

Example of Protocol Security log message in the Syslog format
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","port/sendport 10,3,0,33,42,22"
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","nlist/mls"
Oct 5 11:37:23 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","cwd .."

Example of Protocol Security log message in the Syslog BSD format
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","port/sendport 10,3,0,33,7,217"
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","nlist/mls"

Example of Protocol Security log message in the Syslog legacy format
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","port/sendport 10,3,0,33,7,197"
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","nlist/mls"

Fields in DNS event messages

This table lists the fields that are contained in event messages that might display in the DNS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type	Example value	Description
errdefs_msgno (integer)	23003141	Static number 23003141
date_time (string)	11 13 2012 12:12:10	Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address)	192.168.1.246	BIG-IP system management IP address
hostname (string)	bigip-4.pme-ds.f5.com	BIG-IP system FQDN
context_name (string)	/Common/vs1_udp	Partition in which the virtual server resides and name of virtual server
vlan (string)	External	Name of the VLAN interface
query_type (string)	A	Type of DNS query causing the attack
dns_query_name (string)	siterequest.com	Name being queried
partition_name (string)	Common	Name of the partition in which the virtual server resides
attack_type (string)	CNAME	DNS query causing the attack
action (string)	None, Drop, Allow	Action performed or reported
src_ip (IP address)	192.168.3.1	Source IP address
dest_ip (IP address)	192.168.3.2	Destination IP address
src_port (integer)	80	Protocol port number (non-negative)
dest_port (integer)	80	Protocol port number (non-negative)
route_domain (integer)	1	Route domain number (non-negative)

DNS attack types

This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event

Attack name (RFC number)	Description
a6 (1035)	Returns a 32-bit IPv4 IP address record
aaaa (3596)	Returns a 128-bit IPv6 address record
afsdb (1183)	Location of database servers of an AFS database record record
any (1035)	Returns all cached records of all types
atma	ATM address
axfr (1035)	Authoritative zone transfer
cert (4398)	Stores PKIX, SPKI, and PGP certificate record
cname (1035)	Alias of one name to another (canonical name record)
dname (2672)	DNAME (delegation name) creates an alias for a name and all its subnames
eid	Endpoint identifier
gpos (1712)	Geographical position (state, country)
hinfo (1035)	Host information
isdn (1183)	ISDN address
ixfr (1996)	Incrementatl zone transfer
key (2535, 2930)	Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records
kx (2535, 2930)	Key exchange record identifies a key management agent for the associated domain-name (not associated with DNSSEC)
loc (1876)	Location record
maila (1035)	Request for mail agent resource records
mailb (1035)	Mailbox or mail list information (MINFO)
mb (1035)	Mailbox domain name
md	Mail destination
mf (1035)	Mail forwarder
mg (1035)	Mail group member
minfo (1035)	Mailbox or mail list information
mr (1035)	Mail rename domain name
mx (1035)	Mail exchange record
naptr (3403)	Naming authority pointer
nimloc (1002)	Nimrod locator
ns (1035)	Nameserver record
nsap (1706)	NSAP style A record
nsap-ptr (1348)	NSAP style domain name pointer
null (1035)	Null resource record
nxt (2535)	Next domain
opt (2671)	Pseudo DNS record type that supports EDNS
ptr (1035)	Pointer to a canonical name
px (2163)	X.400 mail mapping information
rp (1183)	Contact information for the person(s) responsible for the domain
rt (1183)	Route through
sg (2535)	Signature record
sink	DNS sinkhole
soa (1035)	Start of authority record
srv (2782)	Service locator record
tkey (2930)	Secret key record
tsig (2845)	Transaction signature that authenticates dynamic updates as coming from an approved client, or authenticates responses as coming from an approved recursive name server
txt (1035)	Text record
wks	Sender Policy Framework, DKIM, and DMARC DNS-SD
x25 (1183)	X.25 PSDN address
zxfr	Compressed zone transfer

DNS example events

This list contains examples of events you might find in the DNS logs.

Example of DNS log message in the ArcSight CEF format
Oct 12 13:35:47 10.3.0.33 CEF:0\|F5\|Advanced Firewall Module\|11.3.0.2206.0\|23003139\|DNS Event\|8\|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address

Example of DNS log message in the ArcSight CEF format

Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address

Example of DNS log message in the Reporting Server format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"

Example of DNS log message in the Syslog format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"

Fields in DNS DoS event messages

This table lists the fields that are contained in event messages that might display in the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type	Example value	Description
errdefs_msgno (integer)	23003141	Static number
errdefs_msg_name (string)	DNS DoS Event	Name of event
date_time (string)	11 13 2012 12:12:10	Date and time event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address)	192.168.1.246	BIG-IP system management IP address
hostname (string)	bigip-4.pme-ds.f5.com	BIG-IP system FQDN
context_name (string)	/Common/vs1_udp	Partition in which the virtual server resides and name of virtual server
vlan (string)	External	Name of VLAN interface
dns_query_type (string)	A	Type of DNS query causing the attack
dns_query_name (string)	f5.com	Name being queried
src_ip (IP address)	192.168.3.1	Source IP address
dest_ip (IP address)	192.168.3.1	Destination IP address
src_port (integer)	80	Protocol port number (non-negative)
dest_port (integer)	80	Protocol port number (non-negative)
partition_name (string)	Common	Name of the partition in which the virtual server resides
dos_attack_name (string)	A query DOS	Name of attack
dos_attack_id (integer)	1005891899	Unique, non-negative, attack instance ID
dos_attack_event (string)	Attack Sampled	Status of attack
action (string)	None, Drop, Allow	Action performed or reported

DNS DoS attack types

This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.

Attack name (RFC)	Description	Value description
A query DOS (RFC 1035)	Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101.	Address record
PTR query DOS (RFC 1035)	Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD.	Pointer record
NS query DOS (1035)	Delegates a DNS zone to use the given authoritative name servers.	Name service record
SOA query DOS (1035)	Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.	Start of authority record
CNAME query DOS (1035)	Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.	Canonical name record
MX query DOS (1035)	Maps a domain name to a list of message transfer agents for that domain.	Mail exchange record
AAAA query DOS (3596)	Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.	IPv6 address record
TXT query DOS (1035)	Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD.	Text record
SRV query DOS (2782)	Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.	Service locator
AXFR query DOS (1035)	Request for a transfer of an entire zone.	Request
IXFR query DOS (1995)	Incremental transfer of records in the zone.	Request
ANY query DOS (1035)	Request for all records.	Request
Malformed DOS	Generated by a DNS packet in which one of the fields, for example, opcode, query_type or query_name, contains invalid information.
Malicious DOS	Generated by malicious packets, that is, malformed DNS packets with references that are invalid.
Other Query DOS	Queries, not listed in this table, which are being used to attack nameservers.

DNS DoS example events

This list contains examples of events you might find in the DNS DoS attack logs.

Example of DNS DoS attack log message in the Syslog format
"Oct 30 2012 10:57:09","192.168.56.179","Surya_BIG_IP_VM1.example.com","/Common/vs_192_168_57_177_53_gtm","/Common/external","A","surya.example.com","192.168.56.171","192.168.57.177","43835","53","0","A query DOS","1005891899","Attack Sampled","Allow"

BIG-IP system process example events

This list contains examples of events you might find in BIG-IP system logs. Please be aware that system log messages might be truncated, because the UDP protocol cannot send large messages. Note that using the TCP protocol impacts performance.

Example Syslog log entry for the system audit log

This log entry provides confirmation of a successful configuration save.

1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: 
[F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] 
AUDIT - pid=29639 user=root folder=/Common module=(tmos)# 
status=[Command OK] cmd_data=save / sys config partitions all

Example Syslog log entry for the application security log

This log entry provides confirmation of the end of a DoS attack.

Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 
2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" 
errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet 
broadcast packet, Attack ID 188335952.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads