Applies To:

Show Versions Show Versions

Manual Chapter: Displaying Reports
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

16 
You can use several reporting tools in Application Security Manager to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring reporting tools are:
Requests summary
Summarizes the requested URLs for web applications. See Reviewing details about requests, for more information.
Charts
Displays graphical reports about security policy violations and provides tools that let you view the data by different criteria, drill down for more data, create customized reports, and export reports. See Viewing charts, for more information.
Charts Scheduler
Allows you to periodically generate specific reports and distribute them using email.
DoS Attacks report
Displays DoS attack events, listed by the web application targeted, and the attack start and end times. See Viewing DoS Attacks reports, more information.
Brute Force Attacks report
Displays brute-force attack events, including the web application attacked, login URL, and attack start and end times. See Viewing Brute Force Attack reports, for more information.
IP Enforcer Statistics
Lists the IP addresses containing requests that exceeded the maximum number of blocked violations, and you can see additional details about the request and associated violations.
Web Scraping Statistics
Displays details about web scraping attacks that the system detected and logged.
PCI Compliance report
Displays a printable Payment Card Industry (PCI) compliance report for each web application showing each security measure required for PCI-DSS 1.2, and compliance details.
For each web application, the Application Security Manager logs requests according to the logging profile (Options >> Logging Profiles). If you use local logging, you can review those requests in the Requests List on the Requests screen. For more information on configuring logging profiles, refer to Configuring a logging profile for a reporting server.
The Requests List provides information about a request such as: the request category, the time of the request, its severity, the source IP address of the request, the server response code, and the requested URL itself, as shown in Figure 16.1. Icons on each request line provide additional status information such as whether the request is legal or illegal, blocked, truncated, or has a response. The request legend describes these icons.
You can view additional details about a request, including viewing the full request itself, and any violations associated with it. You can also drill down to view detailed descriptions of the violations and potential attacks.
When viewing details about an illegal request, if you decide that the request is trusted and you want to allow it, you can accept the violations shown for this specific request.
You can use a filter to view only those requests and events that are of interest to you, as described in Filtering reports. The filter list has several built-in options that you can use to display all requests, legal requests, illegal requests, or requests that occurred within a certain time range. You can also create a custom filter and view requests by attack type, source IP address, HTTP method used, and many other options.
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens, where you can review a list of requests for all web applications.
Note: If Filter details are displayed, the Requests List appears below them.
2.
In the Requests List, click anywhere on a request to view information about the request and any violations associated with the request.
Click elsewhere on the line to display details on the same screen, below the Requests List (click the heading line to hide the details).
Either place, you see any violations associated with the request and other details, such as the web application it relates to, the support ID, severity, and potential attacks that it could cause. For example, Figure 16.2 shows information about a request that caused five potential violations.
Click the icon to the left of the violation to display a general description of that type of violation. For example, Figure 16.3 shows the description of the Illegal header length violation.
If the violation is set to Alarm or Block, click the violation name to view details about this specific violation such as the file type, the expected and actual length of the query, or similar relevant information. In the popup screen that appears, you see additional details, and, for attack signatures, you can click View details to get context details.
4.
To view the actual content of the request, click Full Request.
The content of the full request replaces the list of violations.
5.
For illegal requests that you want to allow (false positives), click the Accept button.
The system runs the Policy Builder and resolves the listed violations for this request.
Figure 16.2 Request details
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens.
2.
To the right of the Requests List, click Export.
A popup screen prompts you for save options.
3.
Save the file, and click OK.
The system creates a *.tar.gz file of the requests, and saves it where you specify.
If you have reviewed and dealt with requests, you may want to clear them from the Requests List. This is an optional task.
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens.
To clear all requests, click Clear All to delete all requests.
The systems prompts you to confirm the deletion.
You can display numerous graphical charts that illustrate the distribution of security alerts. You can filter the data by web application and time period, and you can view illegal requests based on different criteria such as web applications, violations, attack types, URLs, IP addresses, severity, response codes, request types, or protocols.
The system provides several predefined filters that produce charts focused on areas of interest including the top alerted applications, top violations, top attacks, and top attackers. You can use these charts as executive reports that summarize your overall system security.
Figure 16.4 is an example of a chart that shows the violations that have occurred on the system. Details below the chart include the number of occurrences for each type of violation.
You can use a filter to view the security incidents which are of interest to you. The filter list has several predefined options. In addition, you can create a custom filter. See Filtering reports.
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens.
2.
On the menu bar, click Charts.
The Charts screen opens, where you can view graphical reports.
3.
From the Filter list, select the predefined or custom filter you want to use and click Go. For details, see Filtering reports.
4.
In the Reports section, next to View by, click the viewing criteria for the report you want to see.
The Reports screen displays a graphical report of illegal requests by the selected criteria. For example, if you selected view by Violation, the report shows each type of violation against the security policy in a pie chart (shown previously in Figure 16.4), followed by a details table, and a bar chart, which displays the violations that occurred over time.
5.
Click any slice in the pie chart or detail in the details table to display more information about that specific item.
The graphical report shows more details. For example, if viewing by Attack Type, you can click any attack type to view how many attacks of this type occurred for each application.
Click Reset All to remove all drilldown settings for the report but keep the view by criteria.
Click View Requests to view the requests that relate to the current report.
7.
To create a PDF version of the report that you can save or print, at the bottom of the screen, click Export.
The system asks if you want to open or save the PDF file.
You can monitor graphical charts to determine how well your security policies are protecting your web applications. By viewing specific charts, you can check for false positives and adjust security policies accordingly. The contents of the charts can help you to determine why the system flagged certain requests as illegal.
For example, if you notice that many attacks are emanating from one IP address, you have identified a possible attacker. You can check the validity of that IP address. You may want to enable session-based enforcement to block those requests producing too many violations and coming from a single IP address. See Configuring IP address enforcement, for more information.
If you see that the same type of attack is coming from many different IP addresses, this may indicate a false positive, and you may need to adjust your security policy. As an example, if you see many illegal URL violations and find that they are coming from many different IP addresses, you should consider adding this URL to the security policy.
By viewing graphical reports periodically and investigating the illegal requests using different criteria, you can evaluate system vulnerabilities. As you get more familiar with the report details, you can use the information that you get to further secure your application traffic.
You can configure the Charts Scheduler to send predefined charts to specific email addresses periodically. Create a schedule for each chart that you want to send. Figure 16.5 shows the an example of the chart scheduler.
Note: You need to configure SMTP before you can send email notifications. If SMTP is not configured, an alert appears on the screen that links to SMTP configuration (Options>>SMTP Configuration). Also, make sure the SMTP server is on the DNS lookup server list (System>>Configuration>> Device>>DNS).
1.
On the Application Security navigation pane, point to Reporting, then Charts, and click Charts Scheduler.
The Charts Scheduler screen opens.
3.
Click Create.
The Chart Schedule Properties screen opens.
4.
For Schedule Title, type a name for this schedule.
5.
In the Send To (E-Mails) box, type each email address where you want the system to send a copy of the chart, then click Add.
6.
From the Chart list, select the predefined chart to send.
7.
For Send Every, select how often to send the charts, and after starting at, set the time and date to begin sending the charts.
8.
Click Save to save the schedule.
The Chart Scheduler screen shows the schedule you added.
The DoS Attacks report displays information about denial of service (DoS) attacks, including the associated web application and the start and end times of an attack. For details on configuring DoS attack detection, see Preventing DoS attacks for Layer 7 traffic
1.
In the Application Security navigation pane, point to Reporting, point to Anomaly Statistics, then click DoS Attacks.
The DoS Attacks screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen refreshes, and the DoS Attacks report displays all DoS Attack events.
The Brute Force Attack report displays information about brute force attacks, including the web application, login URL, and start and end times of an attack. For details on configuring brute force attack detection, see Mitigating brute force attacks
1.
In the Application Security navigation pane, point to Reporting, point to Anomaly Statistics, then click Brute Force Attacks.
The Brute Force Attacks screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen displays a report to show all brute force attack events.
The IP Enforcer statistics are available in the Reporting section of the Application Security Manager. The IP Enforcer Statistics report shows the IP addresses of the clients that were attacking a web application, and which requests were blocked based on a security policy and IP Enforcer configuration. For details about the IP Enforcer, see Configuring IP address enforcement.
Note: To gather IP Enforcer statistics, you must have configured the IP Enforcer in the Blocking or Transparent operation mode, and the security policy must block one or more violations. See Configuring IP address enforcement.
1.
In the Application Security navigation pane, point to Reporting, point to Anomaly Statistics, then click IP Enforcer Statistics.
The IP Enforcer Statistics screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The IP Enforcer Statistics screen displays all IP Enforcer statistics.
The Web Scraping Statistics report displays information about web scraping attacks that the system detected and logged. The statistics include the client IP address, web application, start and end time, and the number of dropped and violating requests. For details on configuration web scraping detection, see Detecting and preventing bot activity and web scraping.
Figure 16.6 shows an example of web scraping statistics that all originate from the IP address 192.168.172.60 for the web application called asas.
1.
In the Application Security navigation pane, point to Reporting, point to Anomaly Statistics, then click Web Scraping Statistics.
The Web Scraping Statistics screen opens.
2.
From the Filter list, select Show All.
3.
Click Go.
The screen refreshes, and the Web Scraping Statistics displays all incidents of web scraping that were detected.
The PCI Compliance report displays details on how closely the security policy of a web application meets Payment Card Industry (PCI) security standards, PCI-DSS 1.2. The report indicates which requirements Application Security Manager can help enforce, and allows you to view details about what to configure differently to meet compliance standards.
You can create printable versions of PCI compliance reports for each web application to assure auditors that the BIG-IP system and your web applications are secure.
Figure 16.7 shows a sample PCI Compliance report with two requirements in compliance, four not in compliance, and several items that you must make compliant outside of Application Security Manager.
1.
In the Application Security navigation pane, click Reporting.
The Requests screen opens.
2.
On the menu bar, click PCI Compliance.
The PCI Compliance Report screen opens showing a compliance report for the current web application.
3.
To learn more about items that are not PCI compliant (items with a red X), in the summary next to the requirement, click View Details.
The screen shows information about how to make an item compliant. For example, Figure 16.8 shows that the vendor-supplied default passwords are used for the root and admin users.
5.
To display a PCI compliance report for a different web application, from the Web Application setting, select the application name.
A PCI compliance report for the new web application opens.
You can check how much of the available CPU resources that the Application Security Manager is using, or how much of the overall system resources are being used.
In the Application Security navigation pane, expand Overview and click CPU Utilization.
The CPU Utilization screen opens.
In the system navigation pane, expand Overview and click Performance to view overall system CPU usage.
You can display statistics regarding the web application traffic that the Application Security Manager is handling, and the transactions per second on the network.
1.
In the Application Security navigation pane, expand Overview and click Welcome.
The Welcome screen opens and shows the configured web applications and security policies, traffic and network statistics, top requested URLs, and top requesting IP addresses.
Tip: See the online help for information about the display options for the graphs.
2.
From the Web Application list, select an application to narrow down the statistics.
You can use a filter to view the information of interest to you in several of the reports. You can filter reports that show requests, charts, and anomaly statistics.
You can use the predefined filter options that are applicable to each type of information. Alternately, you can create a custom filter that refines the report by criteria such as web application and time period.
1.
In the Application Security navigation pane, click Reporting and display the report you are interested in.
2.
From the Filter list, select the filter you want to use.
3.
Click Go.
The screen displays the filtered report.
1.
In the Application Security navigation pane, click Reporting and display the report you are interested in.
2.
If the filter options are not displayed, to the left of the Filter setting, click the Show/Hide Filter button ().
The screen displays the custom filter options.
3.
Specify the criteria by which you want the Filter option to filter the report. The filter options vary for different reports. Refer to the online help for descriptions of the options.
4.
Click the Save Filter button.
A popup screen opens.
5.
Type a name for the custom filter, and click OK.
The screen refreshes, and you see the custom filter in the Filter list.
6.
From the Filter list, select the custom filter that you just created, and then click Go.
The report displays the filtered information.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)