Skip to content

F5 waf

Description

  • Constructor : F5

  • Product : Web security

  • log types : waf, ipi, l7ddos

log sample

  • waf
1
type = waf,attack_type = Abuse of Functionality,Information Leakage,HTTP Parser Attack,date_time = 2015-12-17 20:41:42,dest_ip = 192.168.133.186,dest_port = 80,geo_location = US,http_class_name = /dosproof/dosproof-dvwa,ip_client = 172.16.122.112,method = CONNECT,policy_apply_date = 2015-08-24 22:57:44,policy_name = dvwa,protocol = HTTP,query_string = ,request_status = blocked,response_code = 0,severity = Critical,src_port = 42178,support_id = 15969618387221591422,uri = proxytest.zmap.io:80,username = N/A,violations = HTTP protocol compliance failed,Illegal meta character in URL,Illegal method,web_application_name = dvwa-dsyme,x_forwarded_for_header_value = 172.16.122.112, request = CONNECT proxytest.zmap.io:80 HTTP/1.1\\r\\nHost: 192.168.133.186\\r\\nUser-Agent: Mozilla/5.0 zgrab/0.x\\r\\nX-Forwarded-For: 10.100.122.112\\r\\nVia: 1.1 dca1-10\\r\\n\\r\\n
  • ipi
1
type = ipi,action = Accept,attack_type = custom_category,bigip_mgmt_ip = ,context_name = ,date_time = Jun 07 2018 14:56:43,dest_ip = ,dest_port = 80,errdefs_msg_name = IP Intelligence Event,errdefs_msgno = 23003142,flow_id = 0000000000000000,ip_intelligence_policy_name = ipi-Threat-Intel-Log-Only,ip_intelligence_threat_name = [scanners windows_exploits spam_sources],ip_protocol = TCP,route_domain = 0,sa_translation_pool = ,sa_translation_type = ,severity = 5,source_ip = ,source_port = 24276,translated_dest_ip = ,translated_dest_port = ,translated_ip_protocol = ,translated_route_domain = ,translated_source_ip = ,translated_source_port = ,translated_vlan =
  • l7ddos
1
type = l7ddos,action = Blocking,client_ip_geo_location = ,client_request_uri = ,date_time = Sep 01 2015 08:31:25,dos_attack_detection_mode = TPS Increased,dos_attack_id = 3775223159,dos_attack_latency = 0 ms,dos_attack_name = DOS L7 attack,dos_attack_tps = 9 tps,dos_baseline_latency = 0 ms,dos_baseline_tps = 0 tps,dos_baseline_traffic_percent = ,dos_current_traffic_percent = ,dos_dropped_requests_count = 0,dos_incoming_requests_count = 670,dos_mitigation_action = Source IP-Based Client Side Integrity Defense,dos_mitigation_reason = Not mitigated,errdefs_msg_name = Application DoS Event,errdefs_msgno = 23003140,reported_entity_type = Site-Wide,severity = 0,source_ip =

Parsing strategy

  • First of all, we need to deal with each different log independently, because if you apply the kv operator on the logs the last key is not recognised, and the last key is different according to the log. For this purpose, we isolate the "type" of the log in order to be able to identify them and use "case" in a switch.

  • Then, in each case of the switch we parse the last key with the dissect operator and parse all the leftover with a kv operator.

    • For the "ipi" type, we need an additionnal step to remove the "[ ]" in the ip_intelligence_threat_name
  • Finally, standardize all the key to match with elasticsearch mapping.

Fields normalization

waf

Normalized fields Parsed fields
[type] [dissect][type]
[action] [kv][request_status]
[app][return][code] [kv][response_code]
[app][method] [kv][method]
[app][proto][name] [kv][protocol]
[alarm][sev] [kv][severity]
[alarm][name] [kv][attack_type]
[alarm][description] [kv][violations]
[rule][name] [kv][policy_name]
[target][uri][url] [kv][uri]
[target][uri][urn] [kv][http_class_name]
[init][host][ip] [kv][ip_client]
[init][host][port] [kv][src_port]
[init][host][useragent] [kv2][User-Agent]
[init][usr][name] [kv][username]
[target][host][ip] [kv][dest_ip]
[target][host][port] [kv][dest_port]
[session][id] [kv][support_id]

ipi

Normalized fields Parsed fields
[type] [dissect][type]
[action] [kv][action]
[alarm][sev] [kv][severity]
[alarm][name] [kv][errdefs_msg_name]
[alarm][description] [kv][attack_type]
[init][port] [kv][source_port]
[app][proto][name] [kv][ip_protocol]
[target][host][port] [kv][dest_port]
[rule][name] [kv][ip_intelligence_policy_name]
[rule][description] [kv][ip_intelligence_threat_name]

l7ddos

Normalized fields Parsed fields
[type] [dissect][type]
[action] [kv][action]
[alarm][sev] [kv][severity]
[alarm][name] [kv][dos_attack_name]
[alarm][description] [kv][dos_mitigation_action]
[obs][ts] [kv][date_time]