Log Types: F5Violations
- Leigh Purdie (Unlicensed)
Overview
F5 BIG-IP appliances produce security logs relating to security policy violations.
Collection
Collection is via syslog, direct to the Snare Central server
Sample Events
<163>Jan 2 15:04:05 ASM:CEF:0|F5|ASM|12.1.1|Successful Request|Successful Request|2|dvchost=scbosbigip1.scbos.sc.gov dvc=10.200.4.10 cs1=/ProductionWeb/www.scbosblue.sc.gov cs1Label=policy_name cs2=/ProductionWeb/www.scbosblue.sc.gov cs2Label=http_class_name deviceCustomDate1=Nov 08 2016 11:25:32 deviceCustomDate1Label=policy_apply_date externalId=6158457033404640410 act=passed cn1=304 cn1Label=response_code src=96.36.240.105 spt=64422 dst=10.200.5.203 dpt=443 requestMethod=GET app=HTTPS cs5=96.36.240.105 cs5Label=x_forwarded_for_header_value rt=Dec 16 2016 07:48:39 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=US cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=322587f79ea78989 suser=N/A cn2=0 cn2Label=violation_rating cn3=0 cn3Label=device_id request=/Core/Bootstrap/Styles/bootstrap.min.css cs3Label=full_request cs3=GET /Core/Bootstrap/Styles/bootstrap.min.css HTTP/1.1\r\nHost: www.scbosblue.sc.gov\r\nConnection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36\r\nAccept: text/css,/;q\=0.1\r\nReferer: https://www.scbosblue.sc.gov/DEW/Contribution\r\nAccept-Language: en-US,en;q\=0.8\r\nCookie: _ga\=GA1
<163>Jan 2 15:04:05 ASM:unit_hostname="scbosbigip1.scbos.sc.gov",management_ip_address="10.200.4.10",http_class_name="/ProductionWeb/www.scsignon.sc.gov_asm",web_application_name="/ProductionWeb/www.scsignon.sc.gov_asm",policy_name="/ProductionWeb/www.scsignon.sc.gov_asm",policy_apply_date="2016-10-14 11:02:37",violations="",support_id="11953983038506268716",request_status="passed",response_code="200",ip_client="10.90.61.145",route_domain="1",method="POST",protocol="HTTPS",query_string="",x_forwarded_for_header_value="10.90.61.145",sig_ids="",sig_names="",date_time="2016-10-24 06:57:04",severity="Informational",attack_type="",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="311f17df073af9e1",src_port="54489",dest_port="443",dest_ip="10.200.5.209",sub_violations="",virus_name="N/A",uri="/Eng/Secured/Service/SingleSignonService.asmx",request="POST /Eng/Secured/Service/SingleSignonService.asmx HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)\r\nContent-Type: text/xml; charset=utf-8\r\nSOAPAction: %22http://www.scbos.com/AuthenticateWithAuthorization"\r\nHost: www.scsignon.sc.gov\r\nContent-Length: 2113\r\nExpect: 100-continue\r\nConnection: Close\r\nX-Forwarded-For: 10.90.61.145\r\n\r\n<xml version=%221.0%22 encoding=%22utf-8%22"
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | F5Violations |
MANAGEMENTIPADDRESS | The IP Address of the management server` |
HTTPCLASSNAME | HTTP Class Name |
WEBAPPLICATIONNAME | Web Application Name |
POLICYNAME | Policy Name |
POLICYAPPLYDATE | The date the policy was applied |
VIOLATIONS | Â |
SUPPORTID | Support ID |
REQUESTSTATUS | Request Status (eg: passed) |
RESPONSECODE | Response code (eg: 200 - OK) |
ROUTEDOMAIN | Route domain |
METHOD | HTTP method |
HTTPPROTOCOL | HTTP protocol |
QUERYSTRING | Query string |
XFORWARDEDFORHEADERVALUE | The value of the X-Forwarded-For header |
SIGIDS | Â |
SIGNAMES | Â |
SEVERITY | Event severity |
ATTACKTYPE | Attack type |
GEOLOCATION | Details associated with the geographic location of the source IP address (if available and enabled) |
IPADDRESSINTELLIGENCE | Â |
USERNAME | Username, if available |
SESSIONID | Session ID |
SRCADDR | Source IP Address |
SRCPORT | Source port |
DSTADDR | Destination IP Address |
DSTPORT | Destination port |
PROTO | Protocol |
SUBVIOLATIONS | Â |
VIRUSNAME | Â |
URI | Universal Resource Indicator |
REQUEST | Â |
STRINGS | Any content, in key=value format, that do not fit into the above fields. |