F5 ASM Certified CEF Configuration Guide
- Pavan Raja
- Apr 8, 2025
- 13 min read
Summary:
This document provides a comprehensive overview of an attack log involving a web application called "maui_app," which was protected by the ASM (Application Security Manager) on an F5 BIG-IP device. The log details the specific characteristics and actions taken during the attack, including the IP address involved, the status of the attack, and the associated security policy.
### Key Points from the Log: 1. **Attack ID**: A unique identifier for the attack event, which in this case is cn3=18446744072678170139. 2. **Attack Status**: The log indicates that the attack has ended (cs4=Ended). This means that the security measures implemented by the ASM have successfully blocked or mitigated the threat. 3. **Timestamp**: Two timestamps are provided: one at 23:54:51 and another at 23:52:32 for deviceCustomDate1 (policy_apply_date). These indicate when the security policy was applied in response to the attack. 4. **Security Policy Name**: The name of the policy used to handle the attack is maui_app_default, which is associated with the web application named "maui_app." 5. **Request Drop Count**: This log does not explicitly mention a request drop count (cn2), but it does reference a specific IP address involved in the attack and its related information. 6. **Geographic Location**: The log includes geographic location data for the affected device, which is represented by cs6.
### Integration with ArcSight: - **Vendor-Specific Event Definitions**: These are sent to the ArcSight SmartConnector from the F5 BIG-IP ASM system. - **Mapping to Data Fields**: The events are mapped to specific ArcSight data fields such as web application name (cs2), attack status (cs4), and geographic location (cs6).
### Sample Content Package for ArcSight ESM: The document also provides a guide on how to install a sample content package in ArcSight ESM. This package is designed to facilitate basic reporting within the system, providing insights into security events related to web applications.
#### Installation Steps: 1. **Log into ArcSight ESM Console**: Using an admin account. 2. **Navigate to Packages Tab**: In the Navigator panel, select the "Packages" tab. 3. **Import Package**: Click on "Import" and follow the dialog prompts to import the package bundle file from your local directory. 4. **Install Progress**: Monitor the progress in the Importing and Installing Packages dialogs until completion. 5. **Verify Installation**: Navigate to the Resources tab, select "Reports," and check for the F5 group folder under "ArcSight Partner Sample Content." 6. **Included Reports**: The reports include: - Alerted Violations Per Web App - Attack Types Per Web App - Blocked Violations Per Web App - HTTP Attack Severity Per Web App - HTTPReq (not specified further)
### Dashboard Components: - **HTTP Request Status per Web Application**: Displays trends and detailed information in a line chart format. - **Top Attackers**: Identifies the top source IP addresses responsible for attacks, visualized in a pie chart and table. - **Dashboard Integration**: Includes visual monitors such as Top 10 Attackers (Pie Chart), Blocked Violations by Web Application (Bar Chart), and Top 10 Attacking Countries (Event Graph).
### Confidentiality: The document emphasizes that the provided sample content package is confidential and proprietary, highlighting its sensitivity in terms of security information.
This log and accompanying documentation serve as a practical guide for understanding how to integrate security logs from an F5 BIG-IP ASM device with ArcSight ESM for enhanced monitoring and reporting capabilities.
Details:
The "Common Event Format Configuration Guide" is a document provided by F5 Networks for their BIG-IP Application Security Manager (ASM). This guide is meant to help configure the ASM to collect syslog events in accordance with the ArcSight Common Event Format, which is essential for proper processing and usage within ArcSight products.
The document outlines that the event format must comply with the requirements of the ArcSight CEF connector to ensure correct processing. It also highlights that the content of the events has been deemed compliant with standard SmartConnector requirements, allowing them to be adequately categorized for use in correlation rules, reports, and dashboards as a proof-of-concept (POC) demonstration of the integrated solution between F5 BIG-IP ASM and ArcSight.
The document also provides revision history detailing updates such as sample reports addition and certification status changes from CEF compatible to compliant with versions 10.1 of the BIG-IP Application Security Manager.
The IP Enforcer messages provide sample content packages for F5 Dashboard and Reports, supporting Windows, Linux, and Solaris platforms with device versions ranging from v10.1 to v10.1. F5 BIG-IP ASM is an advanced web application firewall that defends against application-specific attacks bypassing conventional firewalls.
For configuring logging profiles with ArcSight logs, the log messages are in Common Event Format (CEF). The basic format includes: CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|Extension. This logging profile relies on external systems for actual logging; F5 Networks does not manage the configuration and maintenance of external logging servers.
To create a logging profile for ArcSight logs:
1. Navigate to Application Security, then click Logging Profiles in the navigation pane.
2. Above the Logging Profiles area, click Create new logging profile.
3. Select Advanced as the Configuration setting and provide a unique name for the logging profile under Profile Name.
4. Check Remote Storage and select ArcSight from Type settings. Additional settings will be displayed based on your configuration.
5. Optionally clear Local Storage if you do not want data logged locally as well as remotely.
6. Select the appropriate protocol for the reporting server from the Protocol setting, such as TC.
This is a guide for configuring a logging profile in a system or server to log specific types of requests and anomalies like brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks. Here’s how to do it step-by-step:
1. Set the default setting to P (the default setting), UDP, or TCP as per RFC3195 requirements.
2. Enter the IP address of the remote storage server for the Server IP setting.
3. For the Server Port setting, enter a port number; if unspecified, use the default value of 514.
4. To ensure that all web application requests are logged even when resources are competing, check the Guarantee Logging box. Note that this may slow down access to the web application.
5. Optionally adjust the maximum request, header, and query string size settings as needed.
6. If you want detailed logs about brute force attacks, DoS attacks, IP enforcer attacks, or web scraping attacks, check the Report Detected Anomalies box.
7. In the Storage Filter area, make any necessary changes based on requirements.
8. Click the Create button to finalize and confirm your configuration. The screen will refresh and display the new logging profile.
9. For configuring the storage filter of an existing logging profile:
Expand Application Security in the navigation pane, point to Options, and click Logging Profiles.
In the Logging Profiles area, click the name of the existing logging profile you want to edit.
For the Storage Filter setting, select Advanced. The screen will display additional settings.
Select the Logic Operation setting to determine how the system associates specified criteria.
This process allows for detailed configuration and monitoring of various types of network activities as per defined security requirements and policies.
This passage discusses configuring logging profiles for a system using BIG-IP systems, which are part of F5 Networks' products. The steps include setting operators (OR or AND), selecting request types, protocols, response status codes, HTTP methods, and whether to log based on specific strings. After updating the settings, the screen refreshes to display the new logging profile.
Additionally, it explains how to set event severity levels for security policy violations, which determines the level of importance assigned to different security alerts displayed in various interfaces such as the Security Alerts screen and logged messages via syslog utility. The severity levels range from least severe (Informational) to most severe (Emergency). These settings apply globally to all web applications managed by BIG-IP systems.
To modify these severity levels, navigate to the Severities section under Application Security in the system's navigation pane, where you can adjust the level for each specific violation.
This document outlines the steps for specifying a logging profile for a web application in ArcSight, along with an example of an ASM Remote Log Message event that triggers a typical violation. The instructions include:
1. Expanding Application Security and navigating to Web Applications in the navigation pane.
2. Selecting a web application name from the Name column to open its properties screen.
3. For the Logging Profile setting, selecting a desired logging profile.
4. Clicking the Update button to save any changes made to the configuration.
5. Acknowledging and reviewing events by clicking on them in the Events list and confirming their details as needed.
6. Specifying event severity levels and utilizing a Restore Defaults option if necessary.
7. Modifying event severity levels for security policy violations, then saving these changes with the Save button.
8. If preferences change, restoring system-supplied default values by clicking the Restore Defaults button.
The provided text contains a detailed description of network traffic and security events captured by ASM (Advanced Security Module) of F5 Networks, specifically mentioning an "Attack Signature triggered" which indicates the presence of Cross Site Scripting (XSS) attack. This event is logged using the CEF (Common Event Format) standard for unified logging across various devices and services.
Key details from the log entry include:
**Device Information**: The device is identified as a F5 ASM with version 11.0.0, operating under external ID 2922246059721752663 on September 3, 2010 at 16:06:16 (deviceCustomDate1), applied to a web application named "maui_app" and policy name "maui_app_default".
**Attack Details**: The attack type is identified as Cross Site Scripting (XSS) with the severity marked as 200, which corresponds to an alert status.
**Network Traffic**: The request method used was GET, targeting the URL "/xss/xss.php?param=
**HTTP Request Headers and Cookies**: These include standard HTTP headers like Accept, Accept-Language, User-Agent, Accept-Encoding, Host, Connection, and specific cookies including Super_Secret_Session_Cookie for authentication details.
This log entry is crucial for forensic analysis to understand the nature of attacks on network infrastructure, enabling better security policies and response mechanisms.
The document outlines the structure and contents of a CEF (Common Event Format) log used by an ASM (Application Security Manager) on a BIG-IP machine. This format is crucial for sharing security event data between devices in a standardized way. Here's what each field represents:
1. **dvchost**: Hostname or IP address of the BIG-IP device handling the traffic.
2. **dvc**: The IP address of the management interface on the BIG-IP machine.
3. **externalId**: A unique identifier for a blocked transaction, used to track and manage security events.
4. **act**: Action taken on the transaction, typically indicating if it was 'blocked' or 'alerted'.
5. **src**: The IP address of the client from which the request originates, useful for ASM (Application Security Manager) policies.
6. **spt**: Remote port number associated with the client-side communication.
7. **dst**: The destination IP address, typically a Virtual Server IP on the BIG-IP device.
8. **dpt**: Local port number used in the transaction.
9. **requestMethod**: HTTP method of the request (e.g., GET, POST).
10. **app**: Specifies whether the request is over HTTP or HTTPS.
11. **request**: The full URL or URI plus query string from the HTTP request. For key/value format, this includes only the URI without the query string.
12. **deviceExternalId**: Identifier specific to the hardware platform (like VIPRION) receiving traffic.
13. **rt**: Timestamp indicating when the transaction occurred.
Additionally, for CEF logs:
**cs1 - cs5**: These fields provide details about security policy names, web application names, full requests, attack types, and more.
**cn1**: HTTP response code from the server.
**deviceCustomDate1**: Timestamp of when a specific security policy was last applied.
For anomaly detection features like DoS attacks:
The log entry includes details such as the timestamp, device information, action taken (blocked), response codes, and more.
The document also provides examples of logs and clarifies the meanings of various key/value pairs within the CEF format. This structured data is essential for analyzing security events across different systems to detect anomalies or threats effectively.
This document describes an attack on a BIG-IP machine, likely through brute force attacks or similar methods. The attack is detected by the ASM (Application Security and Management) module of the BIG-IP system, which logs the event in CEF (Common Event Format). Key details include:
1. **Attack Type**: Brute Force Attack
2. **Mitigation Type**: Transparent
3. **Severity**: Not specified but implied by "Alerted" action
4. **Action Performed**: Alerted, meaning the system detected and responded to the attack.
5. **Request Details**: The attacked URI is "/bf/login1.php".
6. **Source IP Address**: 120.20.20.120
7. **Geographic Location**: AU (Australia) based on cs6 value.
8. **Attack Status**: Ongoing, indicating the attack was still active at the time of logging.
9. **Detection Mode**: Number of Failed Logins Increased.
10. **Timestamp**: The log entry is timestamped as Sep 11, 2010, and the transaction occurred around 00:12:00 with a management interface IP address of 172.30.0.20.
11. **Policy and Application Names**: Policy name "maui_app_default" and web application name "maui_app".
12. **Attack ID**: The unique identifier for the attack is cn3=3263585820.
13. **Detection Average**: 109 ms latency increase or requests per second (TPS) increase, depending on the nature of the attack as indicated by cs5.
14. **Dropped Requests Counter**: No dropped requests were reported initially (cn2=0), but subsequent logs would show incremental drops based on previous log entries.
This log entry provides detailed information about an ongoing attack and how it was detected, including details from security policies applied and the system's response to the threat.
The provided text describes a sample log message from an ASM (Application Security and Management) system, specifically for detecting Web Scraping Attack. Here's a breakdown of what each field in the log message represents:
1. **CEF Version**: Specifies the version of CEF used to format the log message.
2. **DeviceVendor**: The vendor of the device (in this case, F5).
3. **DeviceProduct**: Identifies the product as ASM (Application Security and Management).
4. **DeviceVersion**: Indicates the version of the ASM system (e.g., 11.0.0).
5. **AttackType**: The type of attack detected, which in this case is a Web Scraping Attack.
6. **Severity**: Not explicitly provided but typically implied by the 'AttackType'.
7. **Timestamp**: Logs the timestamp when the transaction was processed (`rt`).
8. **Host Name (dvchost)**: The hostname of the BIG-IP machine where the attack was detected.
9. **Management IP Address (dvc)**: The IP address of the management interface of the BIG-IP machine.
10. **Policy Name (cs1) and Label (cs1Label)**: Identifies the security policy being used, in this case, `maui_app_default`.
11. **Web Application Name (cs2) and Label (cs2Label)**: Specifies the web application name for ASM, which is `maui_app`.
12. **Timestamp of last policy application (deviceCustomDate1) and its label (deviceCustomDate1Label)**: Indicates when the policy was last applied.
13. **Action Performed (act)**: The action taken on a transaction based on the detection, which in this case is 'Blocked'.
14. **Attack ID (cn3) and Label (cn3Label)**: A unique identifier for the detected attack, `3263585818`.
15. **Attack Status (cs4) and Label (cs4Label)**: The status of the attack, indicated as 'Ongoing'.
16. **Source IP Address (src)**: The IP address of the client triggering the attack, `192.168.74.216`.
17. **Geographic Location (cs6) and Label (cs6Label)**: Not applicable in this case (`N/A`).
18. **Timestamp of the transaction (rt)**.
19. **Dropped Request Counter (cn2) and Label (cn2Label)**: Indicates that no requests were dropped since the last log message, so it is '0'.
This log format is useful for monitoring and analyzing network traffic to detect specific types of attacks like Web Scraping and take appropriate mitigation actions such as blocking IP addresses or throttling request rates.
This technical note outlines details about an "IP Enforcer Attack" event logged by a BIG-IP machine running version 11.0.0 of ASM (Application Security Manager). The attack is characterized as an IP Enforcer Attack, which is part of broader cyber threats like DoS (Denial of Service), Brute Force, and Web Scraping attacks.
The log entry includes:
**CEF Version**: Standard version identifier for the logs.
**Device Vendor & Product**: F5 for both vendor and product, indicating it's from the F5 Networks ASM system.
**Device Version**: 11.0.0, specifying the software version of the device where the event was logged.
**Attack Type**: IP Enforcer Attack.
**Severity**: Not explicitly mentioned but implied by 'Attack', which is typically a high severity unless mitigated or specified otherwise.
**Action Performed**: Blocked (act=Blocked).
**Request URI**: Not provided in the log snippet, indicated by "request The URI" as N/A.
**Source IP Address of Client for ASM**: 192.168.74.169.
**Geographic Location**: Not specified (cs6=N/A).
**Dropped Requests Counter**: No requests were dropped during this event, as cn2=0 indicates zero delta from the last log message for the specific attack.
**Blocked Requests Counter**: Incremented to represent a new value of 18446744072678170139 (likely an internal ID or counter).
**Attack ID**: cn3=18446744072678170139.
**Attack Status**: Ended (cs4=Ended), indicating the phase of the attack.
**Timestamp**: Sep 10, 2010, at 23:54:51 and Sep 10, 2010, at 23:52:32 for deviceCustomDate1 (policy_apply_date).
**Security Policy Name**: maui_app_default (cs1=maui_app_default), associated with the web application named "maui_app" (cs2=maui_app).
This log provides detailed information about an intercepted attack and the actions taken by the ASM system to mitigate it, including blocking requests from a specific IP address.
The document discusses the interoperability standard for event interoperation between ArcSight and F5, specifically focusing on the F5 BIG-IP ASM (Application Security Manager) connector. It outlines how vendor-specific event definitions are sent to the ArcSight SmartConnector, which then maps these events to specific ArcSight data fields. Key mappings include details such as the web application name (cs2), attack status (cs4), request drop count (cn2), and geographic location (cs6).
Additionally, it mentions a sample content package developed for demonstration purposes in the integration between ArcSight and F5. This package is intended to provide some basic reporting functionality within ArcSight ESM and includes details on how to install and use this package.
To install a content package in ArcSight ESM, follow these steps:
1. Log into the ArcSight ESM Console with an admin account.
2. Navigate to the Packages tab in the Navigator panel.
3. Click Import ( ).
4. In the Open dialog, browse and select the package bundle file, then click Open. The import progress is shown in the Progress tab of the Importing Packages dialog.
5. When the import is complete, check the checkbox in the Importing Packages dialog and click Next. The install progress is displayed in the Progress tab of the Installing Packages dialog. Once installed, the Summary Report is shown on the Results tab of the Installing Packages dialog.
6. Click OK in both the Importing and Installing Packages dialogs to confirm installation.
7. Verify the installation by navigating to the Resources tab in the Navigator panel, selecting Reports from the dropdown menu, and checking the "ArcSight Partner Sample Content" folder for the F5 group.
8. The included reports are:
AlertedViolationsPerWebApp: Displays violations per web application as a bar chart and table.
AttackTypesPerWebApp: Shows attacks detected per web application in a stacked bar chart and table.
BlockedViolationsPerWebApp: Displays blocked violations per web application in a stacked bar chart format.
HTTPAttackSeverityPerWebApp: Shows HTTP attacks by severity levels per web application in a stacked bar chart and table format.
HTTPReq: Not specified further, possibly referring to an HTTP request-related report or metric not detailed here.
The document discusses a package for analyzing security events related to web applications. It includes visual representations such as line charts, tables, pie charts, bar charts, and event graphs that provide insights into the performance and threats of various web applications. Key features include:
1. **HTTP Request Status per Web Application**: This feature displays the HTTP request status in a line chart for trend analysis and as a table with detailed information.
2. **Top Attackers**: It identifies the top source IP addresses responsible for attacks, presenting this data in a pie chart to show the distribution and in a table format for further details.
3. **Dashboard Components**: The package includes a dashboard that integrates several data monitors and query viewers:
**Top 10 Attackers (Pie Chart)**: This visualizes the top IP addresses responsible for attacks.
**Blocked Violations by Web Application (Bar Chart)**: This bar chart shows the number of blocked violations associated with each web application.
**Top 10 Attacking Countries (Event Graph)**: This graph represents the countries from which the most attacks are launched, providing a geographical view of threats.
The documents referenced as ArcSight Technical Notes (from 15 to 18) likely provide detailed information on how to use these features and other technical specifications related to the system. The notes also highlight that this package is confidential and proprietary, indicating its sensitivity in terms of security information.
Comments