Applies To:
Show VersionsBIG-IP AAM
- 12.1.1, 12.1.0
BIG-IP APM
- 12.1.1, 12.1.0
BIG-IP Link Controller
- 12.1.1, 12.1.0
BIG-IP Analytics
- 12.1.1, 12.1.0
BIG-IP LTM
- 12.1.1, 12.1.0
BIG-IP PEM
- 12.1.1, 12.1.0
BIG-IP AFM
- 12.1.1, 12.1.0
BIG-IP DNS
- 12.1.1, 12.1.0
BIG-IP ASM
- 12.1.1, 12.1.0
Event Messages and Attack Types
Fields in ASM Violations event messages
This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type | Example value | Description |
---|---|---|
unit_hostname (string) | bigip-4.pme-ds.f5.com | BIG-IP system FQDN |
management_ip_address (IP address) | 192.168.1.246 | BIG-IP system management IP address |
http_class_name (string) | /Common/topaz4-web4 | HTTP policy name |
policy_name (string) | My security policy | Name of the security policy reporting the violation |
violations (string) | Attack signature detected | Violation name |
support_id (non-negative integer) | 18205860747014045721 | Internally-generated integer to assist with client access support |
request_status (string) | Blocked | Action applied to the client request |
response_code (non-negative integer) | 200 | The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked. |
ip_client (IP address) | 192.168.5.10 | Client source IP address |
route_domain (non-negative integer) | 0 (zero) | Route domain number |
method (string) | GET | HTTP method requested by client |
protocol (string) | HTTP, HTTPS | Protocol name |
query_string (string) | key1=val1&key2=val2 | Query sent by client; query appears in the first line of the HTTP request after the path and the question mark (?) |
x_forwarded_for_header_value (string) | 192.168.5.10 | Value of the XFF HTTP header |
sig_ids (positive non-zero integer) | 200021069 | Signature ID number |
sig_names (string) | Automated client access %22wget%22 | Signature name |
date_time (string) | 2012-09-19 13:52:29 | Data and time in the format: YYYY-MM-DD HH:MM:SS |
severity (string) | Error | Severity category to which the event belongs |
attack_type (string) | Non-browser client | Name of identified attack |
geo_location (string) | USA/NY | Country/city location information |
ip_address_intelligence (string) | Botnets, Scanners | List of IP intelligence categories found for an IP address |
username (string) | Admin | User name for client session |
session_id (hexadeicmal number) | a9141b68ac7b4958 | TCP session ID |
src_port (non-negative integer) | 52974 | Client protocol source port |
dest_port (non-negative integer) | 80 | Requested service listening port number |
dest_ip (IP address) | 192.168.5.11 | Requested service IP address |
sub_violations (string) | Bad HTTP version, Null in request | Comma-separated list of sub-violation strings |
virus_name (string) | Melissa | Virus name |
uri (string) | / | URI requested by client |
request (string) | GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n | Request string sent by client |
headers | Host: myhost.com; Connection: close | Found in request logs |
response | HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/> | HTTP response from server when response logging is configured |
violation_details (string) | <?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>65536</http_sanity_checks_status><http_sub_violation_status>65536</http_sub_violation_status><http_sub_violation>SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA==</http_sub_violation></violation></request-violations></BAD_MSG> | Extended information about a violation on a transaction |
ASM Violations example events
This list contains examples of events you might find in ASM logs.
Examples of ASM log messages in the ArcSight CEF format
<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2| dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 11:38:36 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access "wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
Example of ASM log message in the Remote Server format
<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"", "2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4" "N/A","10.4.1.101","10.4.1.101%0","172.16.73.34","GET", "2012-09-19 11:38:36","topaz4-web4","HTTP","", "GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed", "Response logging disabled","200","0","7514e0ee8f0eb493","Informational", "","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A", "<?xml version='1.0' encoding='UTF-8'?><BAD_MSG> <request-violations><violation><viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>request</context><sig_data> <sig_id>200021069</sig_id><blocking_mask>4</blocking_mask> <kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn ;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29 ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer> <offset>0</offset><length>16</length></kw_data> </sig_data></violation></request-violations> </BAD_MSG>","","N/A","N/A"
Example of ASM log message in the Remote Syslog format
23003140
Examples of ASM log messages in the Reporting Server format
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A", session_id="98630496c8413322",src_port="52964",dest_port="80", dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/", request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322", src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25", violations="Attack signature detected",support_id="18205860747014045721", request_status="blocked",response_code="0",ip_client="10.4.1.101", route_domain="0",method="GET",protocol="HTTP",query_string="", x_forwarded_for_header_value="N/A",sig_ids="200021069", sig_names="Automated client access %22wget%22", date_time="2012-09-19 13:52:29",severity="Error", attack_type="Non-browser Client",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958", src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
Fields in ASM Brute Force and Web Scraping event messages
This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in alphabetical order by field name.
Field name and type | Example value | Description |
---|---|---|
act (string) | Alerted or Blocked | Action taken in response to attack |
anomaly_attack_type (string) | DoS attack or Brute Force attack | Type of attack |
attack_id (integer) | 12345678 | Unique identifier of an attack |
attack_status (string) | Started, Ended, or Ongoing | Status of an attack |
current_mitigation (string) | Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent | How the attack is being mitigated |
date_time (string) | 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 | Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS |
detection_average (integer) | 400 | Historical average of TPS, latency, or failed logins |
detection_mode (string) | For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased | How the attack was detected |
dropped_requests (integer) | 10000 | Number of dropped requests |
dvc (IP address) | 192.168.1.246 | BIG-IP system management IP address |
dvchost (string) | bigip-4.asm-ds.f5.com | BIG-IP system host name |
geo_location (string) | USA/NY | Country/city location information |
ip_list (IP addresses) | 192.168.5.10:ny, ny, usa:150 | Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter |
management_ip_address (IP address) | 192.168.1.246 | BIG-IP system management IP address |
operation_mode (string) | Transparent or Blocking | Current operation mode in the security policy |
policy_apply_date | 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 | The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS |
policy_name (string) | My policy | Name of current active policy reporting the violation |
request (URL) | www.siterequest.com | Login URL attacked by Brute Force attack |
rt (string) | Nov 07 2012 06:53:50 | Current date and time in the format: MMM DD YYYY HH:MM:SS |
severity (string) | Emergency | Severity category for attacks is always: Emergency |
source_ip (IP address) | 192.168.4.1:ny, ny, usa:150000 | IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter |
src (IP address) | 192.168.4.1 | IP address from which the attack originates |
unit_hostname (string) | bigip-4.asm-ds.f5.com | BIG-IP system FQDN |
uri (string) | / | Login URL that was subject to a Brute Force attack |
url_list (URLs) | 192.168.50.1:sf, ca, usa:200 | Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter |
violation_counter (integer) | 100 | Number of violations |
web_application_name | My PTO | Name of the web application in which the violation occurred |
ASM Anomaly example events
This list contains examples of events you might find in ASM logs.
Example of ASM Anomaly log messages in the ArcSight CEF format |
---|
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests |
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s |
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter |
Example of ASM Anomaly log messages in the Reporting Server format |
---|
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s" |
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s" |
Example of ASM Anomaly log message in the Web Scraping format |
---|
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s" |
Fields in AFM event messages
This table lists the fields that are contained in event messages that might display in AFM logs. The fields are listed in alphabetical order by field name.
Field name and type | Example value | Description |
---|---|---|
acl_rule_name (string) | Non-browser client | Name of ACL rule |
action (string) | Accept, Accept decisively, Drop, Reject, Established, Closed | Action performed |
hostname (string) | FQDN | BIG-IP system FQDN |
bigip_mgmt_ip (IP address) | 192.168.1.246 | BIG-IP system management IP address |
context_name (string) | /Common/topaz3-web3 | Name of the object to which the rule applies |
context_type (string) | Global, Route Domain, Virtual Server, Self IP address, or Management port | Category of the object to which the rule applies |
date_time (string) | 01 11 2012 13:11:10 | Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS |
dest_ip (IP address) | 192.168.3.1 | Destination IP address |
dest_port (integer) | 80 | Protocol port number |
device_product (string) | Advanced Firewall Module | Name of BIG-IP system generating the event message |
device_vendor (string) | F5 | F5 static keyword |
device_version (string) | 11.3.0.2012.0 | BIG-IP system software version in the format version.point_release.0.yyyy.0 |
drop_reason (string) | (empty), <name of error>, Policy |
Reason action performed. |
errdefs_msgno (integer) | 23003137 | Event number |
errdefs_msg_name (string) | Network event | Event name |
ip_protocol (string) | TCP, UDP, ICMP | Name of protocol |
severity (integer) | 8 | Level of the event by number |
partition_name (string) | Common | Name of the partition or folder in which the object resides |
route_domain (integer) | 1 | Route domain number (non-negative) |
src_ip (IP address) | 192.168.3.1 | Source IP address |
src_port (integer) | 80 | Protocol port number (non-negative) |
vlan (string) | External | VLAN interface name |
AFM example events
This list contains examples of events you might find in AFM logs.
Examples of AFM log messages in the ArcSight CEF format |
---|
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name |
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|23003137|Network Event|8|rt=Nov 08 2012 18:35:15 dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name |
Examples of AFM log messages in the Reporting Server format |
---|
acl_rule_name="allow_http",action="Accept",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-web3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="52807",vlan="/Common/external" |
acl_rule_name="",action="Open",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external" |
acl_rule_name="",action="Closed",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external" |
Examples of AFM log messages in the Splunk format |
---|
acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
Example of AFM log message in the Syslog format |
---|
23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept","" |
23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum" |
Example of AFM log message in the Syslog BSD format |
---|
23003137 "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept","" |
23003137 "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum" |
Example of AFM log message in the Syslog Legacy F5 format |
---|
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp,Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910,/Common/external |
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external |
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external |
Fields in Network DoS Protection event messages
This table lists the fields that are contained in event messages that might display in the DoS Protection logs. The fields are listed in alphabetical order by field name.
Field name and type | Example value | Description |
---|---|---|
action (string) | Allow, Drop, None | Action performed or reported |
hostname (string) | FQDN | BIG-IP system FQDN |
bigip_mgmt_ip (IP address) | 192.168.1.246 | BIG-IP system management IP address |
date_time (string) | 01 11 2012 13:11:10 | Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS |
dest_ip (IP address) | 192.168.3.1 | Destination IP address |
dest_port (integer) | 80 | Protocol port number (non-negative) |
device_product (string) | Advanced Firewall Module | Name of BIG-IP system generating the event message |
device_vendor (string) | F5 | F5 static keyword |
device_version (string) | 11.3.0.2012.0 | BIG-IP system software version in the format mm.dd.0.yyyy.0 |
dos_attack_event (string) | Attack started, Attack Sampled, Attack Stopped | Attack instances start and stop events |
dos_attack_id (string) | 2760296639 | Unique, non-negative, attack ID |
dos_attack_name (string) | ICMP Flood, Bad TCP checksum | Network DoS event |
errdefs_msgno (integer) | 23003138 | Static number |
errdefs_msg_name (string) | Network DoS event | Static keyword |
severity (integer) | 8 | Event severity value (non-negative integer) |
partition_name (string) | Common | Name of the partition in which the virtual server resides |
route_domain (integer) | 1 | Route domain number (non-negative) |
src_ip (IP address) | 192.168.3.1 | Source IP address |
src_port (integer) | 80 | Protocol port number (non-negative) |
vlan (string) | External | Name of the VLAN interface |
Device DoS attack types
The following tables, organized by denial-of-service (DoS) category, list device DoS attacks, and provide a short description and relevant information.
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
Bad Header - DNS | DNS Oversize | dns-oversize | Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192. |
Bad Header - ICMP | Bad ICMP Checksum | bad-icmp-chksum | An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet. |
Bad ICMP Frame | bad-icmp-frame | The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6
types. Valid IPv4 types:
|
|
ICMP Frame Too Large | icmp-frame-too-large | The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515. | |
Bad Header - IGMP | Bad IGMP Frame | bad-igmp-frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. |
Bad Header - IPv4 | Bad IP TTL Value | bad-ttl-val | Time-to-live (TTL) equals zero for an IPv4 address. |
Bad IP Version | bad-ver | The IPv4 address version in the IP header is not 4. | |
Header Length > L2 Length | hdr-len-gt-l2-len | No room in layer 2 packet for IP header (including options) for IPv4 address. | |
Header Length Too Short | hdr-len-too-short | IPv4 header length is less than 20 bytes. | |
Bad Source | ip-bad-src | The IPv4 source IP = 255.255.255.255 or 0xe0000000U. | |
IP Error Checksum | ip-err-chksum | The header checksum is not correct. | |
IP Length > L2 Length | ip-len-gt-l2-len | Total length in IPv4 address header or payload length in IPv6 address header is greater than the layer 3 length in a layer 2 packet. | |
TTL <= <tunable> | ttl-leq-one | An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4. | |
IP Option Frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. | |
IP Option Illegal Length | Option present with illegal length. | ||
L2 Length >> IP Length | l2-len-ggt-ip-len | Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size. | |
No L4 | no-l4 | No layer 4 payload for IPv4 address. | |
Unknown Option Type | unk-ipopt-type | Unknown IP option type. | |
Bad Header - IPv6 | IPv6 extended headers wrong order | bad-ext-hdr-order | Extension headers in the IPv6 header are in the wrong order |
Bad IPV6 Hop Count | bad-ipv6-hop-cnt | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad. | |
Bad IPV6 Version | bad-ipv6-ver | The IPv6 address version in the IP header is not 6. | |
IPv6 duplicate extension headers | dup-ext-hdr | An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header. | |
IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024. | |
IPv6 hop count <= <tunable> | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4. | |
Bad IPv6 source | ipv6-bad-src | IPv6 source IP = 0xff00::. | |
IPV6 Extended Header Frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames. | |
IPV6 Length > L2 Length | ipv6-len-gt-l2-len | IPv6 address length is greater than the layer 2 length. | |
IPV6 Source Address == Destination Address | IPv6 packet source address is the same as the destination address. | ||
No L4 (Extended Headers Go To Or Past End of Frame) | l4-ext-hdrs-go-end | Extended headers go to the end or past the end of the L4 frame. | |
Payload Length < L2 Length | payload-len-ls-l2-len | Specified IPv6 payload length is less than the L2 packet length. | |
Too Many Extended Headers | too-many-ext-hdrs | For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15. | |
Bad Header - L2 | Ethernet MAC Source Address == Destination Address | ether-mac-sa-eq-da | Ethernet MAC source address equals the destination address. |
Bad Header - TCP | Bad TCP Checksum | bad-tcp-chksum | The TCP checksum does not match. |
Bad TCP Flags (All Cleared) | bad-tcp-flags-all-clr | Bad TCP flags (all cleared and SEQ#=0). | |
Bad TCP Flags (All Flags Set) | bad-tcp-flags-all-set | Bad TCP flags (all flags set). | |
FIN Only Set | fin-only-set | Bad TCP flags (only FIN is set). | |
Option Present With Illegal Length | opt-present-with-illegal-len | Option present with illegal length. | |
SYN && FIN Set | syn-and-fin-set | Bad TCP flags (SYN and FIN set) | |
TCP Flags - Bad URG | tcp-bad-urg | Packet contains a bad URG flag, this is likely malicious. | |
TCP Header Length > L2 Length | tcp-hdr-len-gt-l2-len | ||
TCP Header Length Too Short (Length < 5) | tcp-hdr-len-too-short | The Data Offset value in the TCP header is less than five 32-bit words. | |
TCP Option Overruns TCP Header | tcp-opt-overruns-tcp-hdr | The TCP option bits overrun the TCP header. | |
Unknown TCP Option Type | unk-tcp-opt-type | Unknown TCP option type. | |
Bad Header - UDP | Bad UDP Checksum | bad-udp-chksum | The UDP checksum is not correct. |
Bad UDP Header (UDP Length > IP Length or L2 Length) | bad-udp-hdr | UDP length is greater than IP length or layer 2 length. |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
DNS | DNS AAAA Query | dns-aaaa-query | UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. |
DNS Any Query | dns-any-query | UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS AXFR Query | dns-axfr-query | UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS A Query | dns-a-query | UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS CNAME Query | dns-cname-query | UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS IXFR Query | dns-ixfr-query | UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS Malformed | dns-malformed | Malformed DNS packet | |
DNS MX Query | dns-mx-query | UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS NS Query | dns-ns-query | UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS OTHER Query | dns-other-query | UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS PTR Query | dns-ptr-query | UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS QDCount Limit | dns-qdcount-limit | UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS Response Flood | dns-response-flood | UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS SOA Query | dns-soa-query | UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS SRV Query | dns-srv-query | UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. | |
DNS TXT Query | dns-txt-query | UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094. |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
Flood | ARP Flood | arp-flood | ARP packet flood |
Ethernet Broadcast Packet | ether-brdcst-pkt | Ethernet broadcast packet flood. | |
Ethernet Multicast Packet | ether-multicst-pkt | Ethernet destination is not broadcast, but is multicast. | |
ICMPv4 Flood | icmpv4-flood | Flood with ICMP v4 packets. | |
ICMPv6 Flood | icmpv6-flood | Flood with ICMP v6 packets. | |
IGMP Flood | igmp-flood | Flood with IGMP packets (IPv4 packets with IP protocol number 2). | |
IGMP Fragment Flood | igmp-frag-flood | Fragmented packet flood with IGMP protocol. | |
IPv4 Fragment Flood | ip-frag-flood | Fragmented packet flood with IPv4. | |
IPv6 Fragment Flood | ipv6-frag-flood | Fragmented packet flood with IPv6. | |
Routing Header Type 0 | routing-header-type-0 | Routing header type zero is present in flood packets. | |
TCP BADACK Flood | tcp-ack-flood | TCP ACK packet flood. | |
TCP RST Flood | tcp-rst-flood | TCP RST flood. | |
TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK flood. | |
TCP SYN Flood | tcp-syn-flood | TCP SYN flood. | |
TCP Window Size | tcp-window-size | The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128. | |
UDP Flood | udp-flood | UDP flood attack. |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
Fragmentation | ICMP Fragment | icmp-frag | ICMP fragment flood. |
IPV6 Atomic Fragment | ipv6-atomic-frag |
IPv6 Frag header present with M=0 and FragOffset =0. |
|
IPV6 Fragment Error | ipv6-other-frag | Other IPv6 fragment error. | |
IPv6 Fragment Overlap | ipv6-overlap-frag | IPv6 overlapping fragment error. | |
IPv6 Fragmentat Too Small | ipv6-short-frag | IPv6 short fragment error. | |
IP Fragment Error | ip-other-frag | Other IPv4 fragment error. | |
IP Fragment Overlap | ip-overlap-frag | IPv4 overlapping fragment error. | |
IP Fragment Too Small | ip-short-frag | IPv4 short fragment error. |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
Single Endpoint | Single Endpoint Flood | flood | Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. |
Single Endpoint Sweep | sweep | Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
SIP | SIP ACK Method | sip-ack-method | SIP ACK packets |
SIP BYE Method | sip-bye-method | SIP BYE packets | |
SIP CANCEL Method | sip-cancel-method | SIP CANCEL packets | |
SIP INVITE Method | sip-invite-method | SIP INVITE packets | |
SIP Malformed | sip-malformed | Malformed SIP packets | |
SIP MESSAGE Method | sip-message-method | SIP MESSAGE packets | |
SIP NOTIFY Method | sip-notify-method | SIP NOTIFY packets | |
SIP OPTIONS Method | sip-options-method | SIP OPTIONS packets | |
SIP OTHER Method | sip-other-method | SIP OTHER packets | |
SIP PRACK Method | sip-prack-method | SIP PRACK packets | |
SIP PUBLISH Method | sip-publish-method | SIP PUBLISH packets | |
SIP REGISTER Method | sip-register-method | SIP REGISTER packets | |
SIP SUBSCRIBE Method | sip-subscribe-method | SIP SUBSCRIBE packets |
DoS category | Attack name | DoS vector name | Information |
---|---|---|---|
Other | Host Unreachable | host-unreachable | Host unreachable error. |
LAND Attack | land-attack | Spoofed TCP SYN packet attack. | |
TIDCMP | tidcmp | ICMP source quench attack. |
Network DoS Protection example events
This list contains examples of events you might find in Network (layer 2 - 4) DoS Protection logs.
Example of Network DOS Protection log message in the ArcSight format |
---|
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address |
Example of Network DoS Protection log message in the Remote Syslog format |
---|
"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.example.com","","10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad TCP checksum","3044184075","Attack Sampled","Drop" |
Examples of Network DoS Protection log messages in Reporting Server format |
---|
Oct 30 13:59:38 192.168.57.163 action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="" |
Oct 30 13:59:38 192.168.57.163 action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external" |
Example of Network DoS Protection log message in the Splunk format |
---|
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="192.168.32.22%0" |
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="/short.txt",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="" |
action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",dos_attack_event="Attack Sampled",dos_attack_id="3083822789",dos_attack_name="Bad TCP checksum",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10" |
Example of Network DoS Protection log message in the Syslog format |
---|
23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop" |
Example of Network DoS Protection log message in the Syslog F5 format |
---|
23003138 "Nov 08 2012 18:23:14","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop" |
Fields in Protocol Security event messages
This table lists the fields that are contained in event messages that might display in the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type | Example value | Description |
---|---|---|
date_time (string) | 110513:11:10 | Date and time the event occurred in this format: MMM DD HH:MM:SS |
hostname (string) | bigip-4.pme-ds.f5.com | BIG-IP system FQDN |
PSM: (string) | PME:keword | Static value keyword |
protocol (string) | FTP, SMPTP, HTTP, DNS | Protocol name |
ip_client (IP address) | 192.168.5.10 | Client source IP address |
dest_ip (IP address) | 192.168.3.1 | Destination IP address |
vs_name (string) | Common/my_vs | Reporting virtual server name and partition |
policy_name (string) | My security policy | Name of the security policy reporting the violatio |
violations (string) | Active mode | Violation name |
virus_name (string) | <name of virus> | Virus name |
management_ip_address (IP address) | 192.168.1.246 | BIG-IP system management IP address |
unit_hostname (string) | bigip-4.pme-ds.f5.com | BIG-IP system FQDN |
request_status (string) | Blocked | Action applied to the client request |
dest_port (integer) | 80 | Protocol port number (non-negative) |
src_port (integer) | 80 | Protocol port number (non-negative) |
route_domain (integer) | 1 | Route domain number (non-negative) |
geo_location (string) | NY, NY, USA | City, state, country location information |
violation_details (string) | port/sendport 10,3,0,33,42,88 | Violation description and the values passed |
Protocol Security example events
This list contains examples of events you might find in the Protocol Security logs.
Example of Protocol Security log message in the ArcSight format |
---|
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|Active mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A |
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A |
Oct 5 11:49:23 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details msg=N/A |
Example of Protocol Security log message in the Remote Server format |
---|
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="port/sendport 10,3,0,33,42,88" |
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="list/dir/mdir" |
Oct 5 11:55:23 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="pwd" |
Example of Protocol Security log message in the Syslog format |
---|
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","port/sendport 10,3,0,33,42,22" |
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","nlist/mls" |
Oct 5 11:37:23 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","cwd .." |
Example of Protocol Security log message in the Syslog BSD format |
---|
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","port/sendport 10,3,0,33,7,217" |
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","nlist/mls" |
Example of Protocol Security log message in the Syslog legacy format |
---|
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","port/sendport 10,3,0,33,7,197" |
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","nlist/mls" |
Fields in DNS event messages
This table lists the fields that are contained in event messages that might display in the DNS logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type | Example value | Description |
---|---|---|
errdefs_msgno (integer) | 23003141 | Static number 23003141 |
date_time (string) | 11 13 2012 12:12:10 | Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS |
bigip_mgmt_ip (IP address) | 192.168.1.246 | BIG-IP system management IP address |
hostname (string) | bigip-4.pme-ds.f5.com | BIG-IP system FQDN |
context_name (string) | /Common/vs1_udp | Partition in which the virtual server resides and name of virtual server |
vlan (string) | External | Name of the VLAN interface |
query_type (string) | A | Type of DNS query causing the attack |
dns_query_name (string) | siterequest.com | Name being queried |
partition_name (string) | Common | Name of the partition in which the virtual server resides |
attack_type (string) | CNAME | DNS query causing the attack |
action (string) | None, Drop, Allow | Action performed or reported |
src_ip (IP address) | 192.168.3.1 | Source IP address |
dest_ip (IP address) | 192.168.3.2 | Destination IP address |
src_port (integer) | 80 | Protocol port number (non-negative) |
dest_port (integer) | 80 | Protocol port number (non-negative) |
route_domain (integer) | 1 | Route domain number (non-negative) |
DNS attack types
This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event
Attack name (RFC number) | Description |
---|---|
a6 (1035) | Returns a 32-bit IPv4 IP address record |
aaaa (3596) | Returns a 128-bit IPv6 address record |
afsdb (1183) | Location of database servers of an AFS database record record |
any (1035) | Returns all cached records of all types |
atma | ATM address |
axfr (1035) | Authoritative zone transfer |
cert (4398) | Stores PKIX, SPKI, and PGP certificate record |
cname (1035) | Alias of one name to another (canonical name record) |
dname (2672) | DNAME (delegation name) creates an alias for a name and all its subnames |
eid | Endpoint identifier |
gpos (1712) | Geographical position (state, country) |
hinfo (1035) | Host information |
isdn (1183) | ISDN address |
ixfr (1996) | Incrementatl zone transfer |
key (2535, 2930) | Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records |
kx (2535, 2930) | Key exchange record identifies a key management agent for the associated domain-name (not associated with DNSSEC) |
loc (1876) | Location record |
maila (1035) | Request for mail agent resource records |
mailb (1035) | Mailbox or mail list information (MINFO) |
mb (1035) | Mailbox domain name |
md | Mail destination |
mf (1035) | Mail forwarder |
mg (1035) | Mail group member |
minfo (1035) | Mailbox or mail list information |
mr (1035) | Mail rename domain name |
mx (1035) | Mail exchange record |
naptr (3403) | Naming authority pointer |
nimloc (1002) | Nimrod locator |
ns (1035) | Nameserver record |
nsap (1706) | NSAP style A record |
nsap-ptr (1348) | NSAP style domain name pointer |
null (1035) | Null resource record |
nxt (2535) | Next domain |
opt (2671) | Pseudo DNS record type that supports EDNS |
ptr (1035) | Pointer to a canonical name |
px (2163) | X.400 mail mapping information |
rp (1183) | Contact information for the person(s) responsible for the domain |
rt (1183) | Route through |
sg (2535) | Signature record |
sink | DNS sinkhole |
soa (1035) | Start of authority record |
srv (2782) | Service locator record |
tkey (2930) | Secret key record |
tsig (2845) | Transaction signature that authenticates dynamic updates as coming from an approved client, or authenticates responses as coming from an approved recursive name server |
txt (1035) | Text record |
wks | Sender Policy Framework, DKIM, and DMARC DNS-SD |
x25 (1183) | X.25 PSDN address |
zxfr | Compressed zone transfer |
DNS example events
This list contains examples of events you might find in the DNS logs.
Example of DNS log message in the ArcSight CEF format |
---|
Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address |
Example of DNS log message in the Reporting Server format |
---|
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0" |
Example of DNS log message in the Syslog format |
---|
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0" |
Fields in DNS DoS event messages
This table lists the fields that are contained in event messages that might display in the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the log.
Field name and type | Example value | Description |
---|---|---|
errdefs_msgno (integer) | 23003141 | Static number |
errdefs_msg_name (string) | DNS DoS Event | Name of event |
date_time (string) | 11 13 2012 12:12:10 | Date and time event occurred in this format: MMM DD YYYY HH:MM:SS |
bigip_mgmt_ip (IP address) | 192.168.1.246 | BIG-IP system management IP address |
hostname (string) | bigip-4.pme-ds.f5.com | BIG-IP system FQDN |
context_name (string) | /Common/vs1_udp | Partition in which the virtual server resides and name of virtual server |
vlan (string) | External | Name of VLAN interface |
dns_query_type (string) | A | Type of DNS query causing the attack |
dns_query_name (string) | f5.com | Name being queried |
src_ip (IP address) | 192.168.3.1 | Source IP address |
dest_ip (IP address) | 192.168.3.1 | Destination IP address |
src_port (integer) | 80 | Protocol port number (non-negative) |
dest_port (integer) | 80 | Protocol port number (non-negative) |
partition_name (string) | Common | Name of the partition in which the virtual server resides |
dos_attack_name (string) | A query DOS | Name of attack |
dos_attack_id (integer) | 1005891899 | Unique, non-negative, attack instance ID |
dos_attack_event (string) | Attack Sampled | Status of attack |
action (string) | None, Drop, Allow | Action performed or reported |
DNS DoS attack types
This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.
Attack name (RFC) | Description | Value description |
---|---|---|
A query DOS (RFC 1035) | Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101. | Address record |
PTR query DOS (RFC 1035) | Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. | Pointer record |
NS query DOS (1035) | Delegates a DNS zone to use the given authoritative name servers. | Name service record |
SOA query DOS (1035) | Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. | Start of authority record |
CNAME query DOS (1035) | Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. | Canonical name record |
MX query DOS (1035) | Maps a domain name to a list of message transfer agents for that domain. | Mail exchange record |
AAAA query DOS (3596) | Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. | IPv6 address record |
TXT query DOS (1035) | Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD. | Text record |
SRV query DOS (2782) | Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. | Service locator |
AXFR query DOS (1035) | Request for a transfer of an entire zone. | Request |
IXFR query DOS (1995) | Incremental transfer of records in the zone. | Request |
ANY query DOS (1035) | Request for all records. | Request |
Malformed DOS | Generated by a DNS packet in which one of the fields, for example, opcode, query_type or query_name, contains invalid information. | |
Malicious DOS | Generated by malicious packets, that is, malformed DNS packets with references that are invalid. | |
Other Query DOS | Queries, not listed in this table, which are being used to attack nameservers. |
DNS DoS example events
This list contains examples of events you might find in the DNS DoS attack logs.
Example of DNS DoS attack log message in the Syslog format |
---|
"Oct 30 2012 10:57:09","192.168.56.179","Surya_BIG_IP_VM1.example.com","/Common/vs_192_168_57_177_53_gtm","/Common/external","A","surya.example.com","192.168.56.171","192.168.57.177","43835","53","0","A query DOS","1005891899","Attack Sampled","Allow" |
BIG-IP system process example events
This list contains examples of events you might find in BIG-IP system logs. Please be aware that system log messages might be truncated, because the UDP protocol cannot send large messages. Note that using the TCP protocol impacts performance.
Example Syslog log entry for the system audit log
This log entry provides confirmation of a successful configuration save.
1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] AUDIT - pid=29639 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all
Example Syslog log entry for the application security log
This log entry provides confirmation of the end of a DoS attack.
Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet broadcast packet, Attack ID 188335952.