F5 - Auswertung Syslog ASM-Events

Aus Laub-Home Wiki

Vorraussetzung

  • F5 ASM Logging-Profil sendet Events an einen syslog Server
  • F5 ASM Class Konfiguration Namens-Schema "asmclass_HOST-FQDN" (Beispiel: "asmclass_www.wiki-laub-home.de")
  • Zugriff auf das syslog Server-Log


Umsetzung

### set variables
# syslog server message log
LOG="/srv/syslog/syslogsrv1/messages-f5lb1.log"

# available ASM classes; based on naming format "asmclass_HOST-FQDN"
CLASSES="asmclass_www.url1.de asmclass_www.url2.de asmclass_www.url3.de"


### check log-events per defined ASM class in $CLASSES
for i in $CLASSES; do
mdc=`zgrep "$i" $LOG | zgrep "Modified domain cookie" | wc -l`
hpc=`zgrep "$i" $LOG | zgrep "HTTP protocol compliance" | wc -l`
imc=`zgrep "$i" $LOG | zgrep "Illegal meta character" | wc -l`
ihs=`zgrep "$i" $LOG | zgrep "Illegal HTTP status in response" | wc -l`
aca=`zgrep "$i" $LOG | zgrep "Automated client access" | wc -l`
att=`zgrep "$i" $LOG | zgrep "Attack signature" | wc -l`
dos=`zgrep "$i" $LOG | zgrep "DoS Attack" | wc -l`
etd=`zgrep "$i" $LOG | zgrep "Evasion technique detected" | wc -l`
coo=`zgrep "$i" $LOG | zgrep "Cookie not RFC-compliant" | wc -l`
ime=`zgrep "$i" $LOG | zgrep "Illegal method" | wc -l`
echo $i
echo "---------------------------------------------------------"
echo -e "Modified domain cookie(s)                  \t$mdc"
echo -e "HTTP protocol compliance failed            \t$hpc"
echo -e "Illegal meta character in parameter value  \t$imc"
echo -e "Illegal HTTP status in response            \t$ihs"
echo -e "Automated client access                    \t$aca"
echo -e "Attack signature detected                  \t$att"
echo -e "DoS Attack                                 \t$dos"
echo -e "Evasion technique detected                 \t$etd"
echo -e "Cookie not RFC-compliant                   \t$coo"
echo -e "Illegal method                             \t$ime"
echo
done


Beispiel Ausgabe

[root@syslogsrv1 ~]# ./f5-asm-auswertung.sh
asmclass_www.url1.de 26
---------------------------------------------------------
Modified domain cookie(s)                       4
HTTP protocol compliance failed                 3
Illegal meta character in parameter value       0
Illegal HTTP status in response                 2
Automated client access                         0
Attack signature detected                       7
DoS Attack                                      9
Evasion technique detected                      1

asmclass_www.url2.de 12
---------------------------------------------------------
Modified domain cookie(s)                       0
HTTP protocol compliance failed                 4
Illegal meta character in parameter value       1
Illegal HTTP status in response                 0
Automated client access                         0
Attack signature detected                       0
DoS Attack                                      7
Evasion technique detected                      0

asmclass_www.url3.de 41
---------------------------------------------------------
Modified domain cookie(s)                       2
HTTP protocol compliance failed                 4
Illegal meta character in parameter value       8
Illegal HTTP status in response                 9
Automated client access                         7
Attack signature detected                       2
DoS Attack                                      4
Evasion technique detected                      5
Abgerufen von „https://www.laub-home.de/index.php?title=F5_-_Auswertung_Syslog_ASM-Events&oldid=7886