Applies To:

Show Versions Show Versions

Manual Chapter: Event Messages and Attack Types
Manual Chapter
Table of Contents   |   << Previous Chapter

Fields in ASM Violations event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
unit_hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
http_class_name (string) /Common/topaz4-web4 HTTP policy name
policy_name (string) My security policy Name of the security policy reporting the violation
violations (string) Attack signature detected Violation name
support_id (non-negative integer) 18205860747014045721 Internally-generated integer to assist with client access support
request_status (string) Blocked Action applied to the client request
response_code (non-negative integer) 200 The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked.
ip_client (IP address) 192.168.5.10 Client source IP address
route_domain (non-negative integer) 0 (zero) Route domain number
method (string) GET HTTP method requested by client
protocol (string) HTTP, HTTPS Protocol name
query_string (string) key1=val1&key2=val2 Query sent by client; query appears in the first line of the HTTP request after the path and the question mark (?)
x_forwarded_for_header_value (string) 192.168.5.10 Value of the XFF HTTP header
sig_ids (positive non-zero integer) 200021069 Signature ID number
sig_names (string) Automated client access %22wget%22 Signature name
date_time (string) 2012-09-19 13:52:29 Data and time in the format: YYYY-MM-DD HH:MM:SS
severity (string) Error Severity category to which the event belongs
attack_type (string) Non-browser client Name of identified attack
geo_location (string) USA/NY Country/city location information
ip_address_intelligence (string) Botnets, Scanners List of IP intelligence categories found for an IP address
username (string) Admin User name for client session
session_id (hexadeicmal number) a9141b68ac7b4958 TCP session ID
src_port (non-negative integer) 52974 Client protocol source port
dest_port (non-negative integer) 80 Requested service listening port number
dest_ip (IP address) 192.168.5.11 Requested service IP address
sub_violations (string) Bad HTTP version, Null in request Comma-separated list of sub-violation strings
virus_name (string) Melissa Virus name
uri (string) / URI requested by client
request (string) GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n Request string sent by client
headers Host: myhost.com; Connection: close Found in request logs
response HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/> HTTP response from server when response logging is configured
violation_details (string) <?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>65536</http_sanity_checks_status><http_sub_violation_status>65536</http_sub_violation_status><http_sub_violation>SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA==</http_sub_violation></violation></request-violations></BAD_MSG> Extended information about a violation on a transaction

ASM Violations example events

This list contains examples of events you might find in ASM logs.

Examples of ASM log messages in the ArcSight CEF format

<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2| dvchost=bigip-4.pme-ds.f5.com dvc=192.168.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 11:38:36 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n <131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access "wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=192.168.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n

Example of ASM log message in the Remote Server format

<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"", "2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4" "N/A","10.4.1.101","10.4.1.101%0","192.168.73.34","GET", "2012-09-19 11:38:36","topaz4-web4","HTTP","", "GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed", "Response logging disabled","200","0","7514e0ee8f0eb493","Informational", "","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A", "<?xml version='1.0' encoding='UTF-8'?><BAD_MSG> <request-violations><violation><viol_index>42</viol_index> <viol_name>VIOL_ATTACK_SIGNATURE</viol_name> <context>request</context><sig_data> <sig_id>200021069</sig_id><blocking_mask>4</blocking_mask> <kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn ;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29 ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer> <offset>0</offset><length>16</length></kw_data> </sig_data></violation></request-violations> </BAD_MSG>","","N/A","N/A"

Example of ASM log message in the Remote Syslog format

23003140

Examples of ASM log messages in the Reporting Server format

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="192.168.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A", session_id="98630496c8413322",src_port="52964",dest_port="80", dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/", request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n" <134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="192.168.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36", violations="",support_id="18205860747014045701",request_status="passed", response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET", protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A", sig_ids="",sig_names="",date_time="2012-09-19 13:40:26", severity="Informational",attack_type="",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322", src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n" <131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com ASM:unit_hostname="bigip-4.pme-ds.f5.com", management_ip_address="192.168.73.34",http_class_name="/Common/topaz4-web4", policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25", violations="Attack signature detected",support_id="18205860747014045721", request_status="blocked",response_code="0",ip_client="10.4.1.101", route_domain="0",method="GET",protocol="HTTP",query_string="", x_forwarded_for_header_value="N/A",sig_ids="200021069", sig_names="Automated client access %22wget%22", date_time="2012-09-19 13:52:29",severity="Error", attack_type="Non-browser Client",geo_location="N/A", ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958", src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="", virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"

Fields in ASM Brute Force and Web Scraping event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
act (string) Alerted or Blocked Action taken in response to attack
anomaly_attack_type (string) DoS attack or Brute Force attack Type of attack
attack_id (integer) 12345678 Unique identifier of an attack
attack_status (string) Started, Ended, or Ongoing Status of an attack
current_mitigation (string) Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent How the attack is being mitigated
date_time (string) 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
detection_average (integer) 400 Historical average of TPS, latency, or failed logins
detection_mode (string) For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased How the attack was detected
dropped_requests (integer) 10000 Number of dropped requests
dvc (IP address) 192.168.1.246 BIG-IP system management IP address
dvchost (string) bigip-4.asm-ds.f5.com BIG-IP system host name
geo_location (string) USA/NY Country/city location information
ip_list (IP addresses) 192.168.5.10:ny, ny, usa:150 Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
operation_mode (string) Transparent or Blocking Current operation mode in the security policy
policy_apply_date 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
policy_name (string) My policy Name of current active policy reporting the violation
request (URL) www.siterequest.com Login URL attacked by Brute Force attack
rt (string) Nov 07 2012 06:53:50 Current date and time in the format: MMM DD YYYY HH:MM:SS
severity (string) Emergency Severity category for attacks is always: Emergency
source_ip (IP address) 192.168.4.1:ny, ny, usa:150000 IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter
src (IP address) 192.168.4.1 IP address from which the attack originates
unit_hostname (string) bigip-4.asm-ds.f5.com BIG-IP system FQDN
uri (string) / Login URL that was subject to a Brute Force attack
url_list (URLs) 192.168.50.1:sf, ca, usa:200 Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter
violation_counter (integer) 100 Number of violations
web_application_name My PTO Name of the web application in which the violation occurred

ASM Anomaly example events

This list contains examples of events you might find in ASM logs.

Example of ASM Anomaly log messages in the ArcSight CEF format
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter
Example of ASM Anomaly log messages in the Reporting Server format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s",policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s",date_time="%s",severity="%s"
unit_hostname="%s",management_ip_address="%s",web_application_name="%s",policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s",attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s"
Example of ASM Anomaly log message in the Web Scraping format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s",policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s",attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s"

Fields in AFM event messages

This table lists the fields that are contained in event messages that might display in AFM logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
acl_rule_name (string) Non-browser client Name of ACL rule
action (string) Accept, Accept decisively, Drop, Reject, Established, Closed Action performed
hostname (string) FQDN BIG-IP system FQDN
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
context_name (string) /Common/topaz3-web3 Name of the object to which the rule applies
context_type (string) Global, Route Domain, Virtual Server, Self IP address, or Management port Category of the object to which the rule applies
date_time (string) 01 11 2012 13:11:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address) 192.168.3.1 Destination IP address
dest_port (integer) 80 Protocol port number
device_product (string) Advanced Firewall Module Name of BIG-IP system generating the event message
device_vendor (string) F5 F5 static keyword
device_version (string) 11.3.0.2012.0 BIG-IP system software version in the format version.point_release.0.yyyy.0
drop_reason (string) (empty), <name of error>, Policy

Reason action performed.

errdefs_msgno (integer) 23003137 Event number
errdefs_msg_name (string) Network event Event name
ip_protocol (string) TCP, UDP, ICMP Name of protocol
severity (integer) 8 Level of the event by number
partition_name (string) Common Name of the partition or folder in which the object resides
route_domain (integer) 1 Route domain number (non-negative)
src_ip (IP address) 192.168.3.1 Source IP address
src_port (integer) 80 Protocol port number (non-negative)
vlan (string) External VLAN interface name

AFM example events

This list contains examples of events you might find in AFM logs.

Examples of AFM log messages in the ArcSight CEF format

CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name CEF:0|F5|Advanced Firewall Module| 11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name CEF:0|F5|Advanced Firewall Module| 11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name CEF:0|F5|Advanced Firewall Module| 11.3.0.2790.300|23003137|Network Event|8|rt=Nov 08 2012 18:35:15 dvchost=asm123.lab.test.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name

Examples of AFM log messages in the Reporting Server format

acl_rule_name="allow_http",action="Accept", hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33", context_name="/Common/topaz3-web3",context_type="Virtual Server", date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137", errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8", partition_name="Common",route_domain="0",source_ip="10.3.1.101", source_port="52807",vlan="/Common/external" acl_rule_name="",action="Open", hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33", context_name="/Common/topaz3-all3",context_type="Virtual Server", date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137", errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8", partition_name="Common",route_domain="0",source_ip="10.3.1.101", source_port="39329",vlan="/Common/external" acl_rule_name="", action="Closed",hostname="bigip-3.pme-ds.f5.com", bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3", context_type="Virtual Server",date_time="Oct 04 2012 13:18:04", dest_ip="10.3.1.200",dest_port="443", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137", errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8", partition_name="Common",route_domain="0",source_ip="10.3.1.101", source_port="39329",vlan="/Common/external"

Examples of AFM log messages in the Splunk format

acl_rule_name="TCP",action="Accept",hostname="asm123.lab.test.com", bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global", date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137", errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8", partition_name="Common",route_domain="0",source_ip="fc55::99", source_port="20",vlan="/Common/VLAN10" acl_rule_name="",action="Drop", hostname="asm123.lab.test.com",bigip_mgmt_ip="192.168.69.176", context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server", date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum", errdefs_msgno="23003137",errdefs_msg_name="Network Event", ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0", source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"

Example of AFM log message in the Syslog format

23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm123.lab.test.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176", "asm123.lab.test.com","Global","","fc55::99","fc55::3","20","80", "/Common/VLAN10","TCP","0","TCP","Accept","" 23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm123.lab.test.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm123.lab.test.com", "Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80", "/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"

Example of AFM log message in the Syslog BSD format

23003137 "192.168.69.176","asm123.lab.test.com","Global","","fc55::99", "fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept","" 23003137 "192.168.69.176","asm123.lab.test.com","Virtual Server", "/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10", "TCP","0","","Drop","Bad TCP checksum"

Example of AFM log message in the Syslog Legacy F5 format

Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp, Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server, Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910 ,/Common/external Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server, Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388, /Common/external Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server, Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388, /Common/external

Fields in Network DoS Protection event messages

This table lists the fields that are contained in event messages that might display in the DoS Protection logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
action (string) Allow, Drop, None Action performed or reported
hostname (string) FQDN BIG-IP system FQDN
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
date_time (string) 01 11 2012 13:11:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address) 192.168.3.1 Destination IP address
dest_port (integer) 80 Protocol port number (non-negative)
device_product (string) Advanced Firewall Module Name of BIG-IP system generating the event message
device_vendor (string) F5 F5 static keyword
device_version (string) 11.3.0.2012.0 BIG-IP system software version in the format mm.dd.0.yyyy.0
dos_attack_event (string) Attack started, Attack Sampled, Attack Stopped Attack instances start and stop events
dos_attack_id (string) 2760296639 Unique, non-negative, attack ID
dos_attack_name (string) ICMP Flood, Bad TCP checksum Network DoS event
errdefs_msgno (integer) 23003138 Static number
errdefs_msg_name (string) Network DoS event Static keyword
severity (integer) 8 Event severity value (non-negative integer)
partition_name (string) Common Name of the partition in which the virtual server resides
route_domain (integer) 1 Route domain number (non-negative)
src_ip (IP address) 192.168.3.1 Source IP address
src_port (integer) 80 Protocol port number (non-negative)
vlan (string) External Name of the VLAN interface

Network DoS Protection attack types

This table lists Network DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.

Attack name Description Classification
Bad ICMP frame Bad ICMP frame Err
Bad IP TTL value Time-to-live equals zero for IPv4 address Err
Bad IP version IPv4 address version in IP header is not 4 Err
Bad IPv6 hop count Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad Flood
Bad IPv6 version IPv6 address version in IP header is not 6 Err
Bad TCP checksum Bad TCP checksum Err
Bad TCP flags (all cleared and SEQ#=0) Bad TCP flags (all cleared and SEQ#=0) Err
Note: BIG-IP system drops packets
Bad TCP flags (all flags set) Bad TCP flags (all flags set) Err
Bad UDP checksum Bad UDP checksum Err
Bad UDP header UDP length is greater than IP length or layer 2 length) Err
Ethernet broadcast packet Ethernet broadcast packet Flood
Ethernet multicast packet Ethernet multicast packet Flood
Ethernet MAC SA = DA Ethernet MAC SA == DA Err
ICMP flood ICMP flood Flood
IP error checksum IPv4 address header checksum error Err
IP fragment error IPv4 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets Sophisticated
IP Header length too short IPv4 header length is less than 20 bytes. Err
IP Header length > L2 length No room in layer 2 packet for IP header (including options) for IPv4 or IPv6 address Err
IP length > L2 length Total length in IPv4 address header or payload length in IPv6 address header is greater than the layer 3 length in a layer 2 packet Err
IP option frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. Flood
IP SA = DA The IPv4 address SA equals DA Err
IPv6 extended header frames IPv6 address contains extended header frames Flood
IPv6 fragment error IPv6 address attack caused by incomplete fragments counted by statistics from fragment buffer, not the number of fragment packets Sophisticated
IPv6 length > L2 length IPv6 address length is greater than the layer 2 length Err
IPv6 SA = DA IPv6 address SA equals DA Err
L2 length > IP length Layer 2 packet length is greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size. Flood
No L4 No layer 4 payload for IPv4 address Err
No L4 (extended headers go to or past end of frame) No layer 4 (extended headers go to or past end of frame) Err
Option present with illegal length Option present with illegal length Detection only
Payload length < L2 length Payload length in IPv6 address header is less than the layer 3 length in the layer 2 packet Err
Routing header type 0 Routing header type zero is present Flood
SYN & FIN set Bad TCP flags (SYN and FIN set) Err
Note: BIG-IP system drops packets
TCP FIN only set Bad TCP flags (only FIN is set) Err
TCP header length too short (length < 5) Off in TCP header is less than 20 bytes Err
TCP header length > L2 length No room in packet for TCP header, including options Err
TCP option overruns TCP header TCP option overruns TCP header Detection only
Too many extended headers For IPv6 address there are more than four extended headers (This can be set using: db variable dos.maxipv6exthdrs.) Flood
TTL <= 1 IP forwarding time-to-live is less than one Err
Unknown TCP option type Unknown TCP option type Detection only

Network DoS Protection example events

This list contains examples of events you might find in Network (layer 2 - 4) DoS Protection logs.

Example of Network DOS Protection log message in the ArcSight format

CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.test.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address

Example of Network DoS Protection log message in the Remote Syslog format

"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.test.com","", "10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad TCP checksum","3044184075","Attack Sampled","Drop"

Examples of Network DoS Protection log messages in Reporting Server format

Oct 30 13:59:38 192.168.57.163 action="None", hostname="bigip-7.test.f5.com",bigip_mgmt_ip="192.168.73.18", date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.1910.0",dos_attack_event="Attack Started", dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet", errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8", partition_name="Common",route_domain="",source_ip="",source_port="",vlan="" Oct 30 13:59:38 192.168.57.163 action="Drop", hostname="bigip-7.test.f5.com",bigip_mgmt_ip="192.168.73.18", date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="", device_product="Advanced Firewall Module",device_vendor="F5", device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled", dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet", errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8", partition_name="Common",route_domain="",source_ip="",source_port="", vlan="/Common/external"

Example of Network DoS Protection log message in the Splunk format

action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157", client_ip_geo_location="N/A",client_request_uri="", configuration_date_time="Nov 01 2012 04:39:57", context_name="/Common/vs_159",context_type="Virtual Server", date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5", device_version="11.3.0",dos_attack_detection_mode="TPS Increased", dos_attack_event="Attack ongoing",dos_attack_id="3131200721", dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps", dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common", profile_name="/Common/dos_orna",source_ip="192.168.32.22%0" action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157", client_ip_geo_location="N/A",client_request_uri="/short.txt", configuration_date_time="Nov 01 2012 04:39:57", context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5", device_version="11.3.0",dos_attack_detection_mode="TPS Increased", dos_attack_event="Attack ongoing",dos_attack_id="3131200721", dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps", dos_dropped_requests_count="487",dos_mitigation_action= "Source IP-Based Rate Limiting",errdefs_msgno="23003140", errdefs_msg_name="Application DoS Event",severity="7", partition_name="Common",profile_name="/Common/dos_orna",source_ip="" action="Drop",hostname="asm176.labt.ts.test.com", bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300", dos_attack_event="Attack Sampled",dos_attack_id="3083822789", dos_attack_name="Bad TCPchecksum",errdefs_msgno="23003138", errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common", route_domain="0",source_ip="fc55::99",source_port="20", vlan="/Common/VLAN10"

Example of Network DoS Protection log message in the Syslog format

23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.test.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176", "asm176.labt.ts.test.com","","fc55::99","fc55::3","20","80","0", "/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Example of Network DoS Protection log message in the Syslog F5 format

23003138 "Nov 08 2012 18:23:14","192.168.69.176", "asm176.labt.ts.test.com","","fc55::99","fc55::3","20","80","0", "/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Fields in Protocol Security event messages

This table lists the fields that are contained in event messages that might display in the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
date_time (string) 110513:11:10 Date and time the event occurred in this format: MMM DD HH:MM:SS
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
PSM: (string) PME:keword Static value keyword
protocol (string) FTP, SMPTP, HTTP, DNS Protocol name
ip_client (IP address) 192.168.5.10 Client source IP address
dest_ip (IP address) 192.168.3.1 Destination IP address
vs_name (string) Common/my_vs Reporting virtual server name and partition
policy_name (string) My security policy Name of the security policy reporting the violatio
violations (string) Active mode Violation name
virus_name (string) <name of virus> Virus name
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
unit_hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
request_status (string) Blocked Action applied to the client request
dest_port (integer) 80 Protocol port number (non-negative)
src_port (integer) 80 Protocol port number (non-negative)
route_domain (integer) 1 Route domain number (non-negative)
geo_location (string) NY, NY, USA City, state, country location information
violation_details (string) port/sendport 10,3,0,33,42,88 Violation description and the values passed

Protocol Security example events

This list contains examples of events you might find in the Protocol Security logs.

Example of Protocol Security log message in the ArcSight format

Oct 5 11:49:13 bigip-3.test.f5.com PSM:CEF:0|F5|PSM|11.3.0|Active mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.test.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A Oct 5 11:49:13 bigip-3.test.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands| FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.test.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A Oct 5 11:49:23 bigip-3.test.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.test.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details msg=N/A

Example of Protocol Security log message in the Remote Server format

Oct 5 11:55:18 bigip-3.test.f5.com PSM:protocol="FTP", ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.test.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0", geo_location="N/A",violation_details="port/sendport 10,3,0,33,42,88" Oct 5 11:55:18 bigip-3.test.f5.com PSM:protocol="FTP", ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.test.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0", geo_location="N/A",violation_details="list/dir/mdir" Oct 5 11:55:23 bigip-3.test.f5.com PSM:protocol="FTP",ip_client="10.3.1.104", dest_ip="10.3.1.204",vs_name="/Common/FTP-3",policy_name="ftp_security", violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.test.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0", geo_location="N/A",violation_details="pwd"

Example of Protocol Security log message in the Syslog format

Oct 5 11:37:14 bigip-3.test.f5.com PSM:"FTP","10.3.1.104","10.3.1.204", "/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33", "bigip-3.test.f5.com","alerted","21","1355","0","N/A","port/sendport 10,3,0,33,42,22" Oct 5 11:37:14 bigip-3.test.f5.com PSM:"FTP", "10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands", "N/A","192.168.73.33","bigip-3.test.f5.com","alerted","21","1355","0", "N/A","nlist/mls" Oct 5 11:37:23 bigip-3.test.f5.com PSM:"FTP", "10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands", "N/A","192.168.73.33","bigip-3.test.f5.com","alerted","21","1355","0", "N/A","cwd.."

Example of Protocol Security log message in the Syslog BSD format

Oct 5 11:46:26 bigip-3.test.f5.com PSM:"FTP", "10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security", "Active mode","N/A","192.168.73.33","bigip-3.test.f5.com", "alerted","21","1388","0","N/A","port/sendport 10,3,0,33,7,217" Oct 5 11:46:26 bigip-3.test.f5.com PSM:"FTP","10.3.1.104", "10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A", "192.168.73.33","bigip-3.test.f5.com","alerted","21","1388","0", "N/A","nlist/mls"

Example of Protocol Security log message in the Syslog legacy format

Oct 5 11:43:01 bigip-3.test.f5.com PSM:"FTP", "10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security", "Active mode","N/A","192.168.73.33","bigip-3.test.f5.com", "alerted","21","1370","0","N/A","port/sendport 10,3,0,33,7,197" Oct 5 11:43:01 bigip-3.test.f5.com PSM:"FTP","10.3.1.104", "10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A", "192.168.73.33","bigip-3.test.f5.com","alerted","21","1370","0", "N/A","nlist/mls"

Fields in DNS event messages

This table lists the fields that are contained in event messages that might display in the DNS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
errdefs_msgno (integer) 23003141 Static number 23003141
date_time (string) 11 13 2012 12:12:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
context_name (string) /Common/vs1_udp Partition in which the virtual server resides and name of virtual server
vlan (string) External Name of the VLAN interface
query_type (string) A Type of DNS query causing the attack
dns_query_name (string) siterequest.com Name being queried
partition_name (string) Common Name of the partition in which the virtual server resides
attack_type (string) CNAME DNS query causing the attack
action (string) None, Drop, Allow Action performed or reported
src_ip (IP address) 192.168.3.1 Source IP address
dest_ip (IP address) 192.168.3.2 Destination IP address
src_port (integer) 80 Protocol port number (non-negative)
dest_port (integer) 80 Protocol port number (non-negative)
route_domain (integer) 1 Route domain number (non-negative)

DNS attack types

This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event

Attack name (RFC number) Description
a6 (1035) Returns a 32-bit IPv4 IP address record
aaaa (3596) Returns a 128-bit IPv6 address record
afsdb (1183) Location of database servers of an AFS database record record
any (1035) Returns all cached records of all types
atma ATM address
axfr (1035) Authoritative zone transfer
cert (4398) Stores PKIX, SPKI, and PGP certificate record
cname (1035) Alias of one name to another (canonical name record)
dname (2672) DNAME (delegation name) creates an alias for a name and all its subnames
eid Endpoint identifier
gpos (1712) Geographical position (state, country)
hinfo (1035) Host information
isdn (1183) ISDN address
ixfr (1996) Incrementatl zone transfer
key (2535, 2930) Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records
kx (2535, 2930) Key exchange record identifies a key management agent for the associated domain-name (not associated with DNSSEC)
loc (1876) Location record
maila (1035) Request for mail agent resource records
mailb (1035) Mailbox or mail list information (MINFO)
mb (1035) Mailbox domain name
md Mail destination
mf (1035) Mail forwarder
mg (1035) Mail group member
minfo (1035) Mailbox or mail list information
mr (1035) Mail rename domain name
mx (1035) Mail exchange record
naptr (3403) Naming authority pointer
nimloc (1002) Nimrod locator
ns (1035) Nameserver record
nsap (1706) NSAP style A record
nsap-ptr (1348) NSAP style domain name pointer
null (1035) Null resource record
nxt (2535) Next domain
opt (2671) Pseudo DNS record type that supports EDNS
ptr (1035) Pointer to a canonical name
px (2163) X.400 mail mapping information
rp (1183) Contact information for the person(s) responsible for the domain
rt (1183) Route through
sg (2535) Signature record
sink DNS sinkhole
soa (1035) Start of authority record
srv (2782) Service locator record
tkey (2930) Secret key record
tsig (2845) Transaction signature that authenticates dynamic updates as coming from an approved client, or authenticates responses as coming from an approved recursive name server
txt (1035) Text record
wks Sender Policy Framework, DKIM, and DMARC DNS-SD
x25 (1183) X.25 PSDN address
zxfr Compressed zone transfer

DNS example events

This list contains examples of events you might find in the DNS logs.

Example of DNS log message in the ArcSight CEF format

Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall Module| 11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme.test.com dvc=192.168.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address

Example of DNS log message in the Reporting Server format

"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.test.com", "/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop", "10.10.10.2","10.10.10.251","4000","53","0"

Example of DNS log message in the Syslog format

"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.test.com", "/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop", "10.10.10.2","10.10.10.251","4000","53","0"

Fields in DNS DoS event messages

This table lists the fields that are contained in event messages that might display in the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
errdefs_msgno (integer) 23003141 Static number
errdefs_msg_name (string) DNS DoS Event Name of event
date_time (string) 11 13 2012 12:12:10 Date and time event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
context_name (string) /Common/vs1_udp Partition in which the virtual server resides and name of virtual server
vlan (string) External Name of VLAN interface
dns_query_type (string) A Type of DNS query causing the attack
dns_query_name (string) f5.com Name being queried
src_ip (IP address) 192.168.3.1 Source IP address
dest_ip (IP address) 192.168.3.1 Destination IP address
src_port (integer) 80 Protocol port number (non-negative)
dest_port (integer) 80 Protocol port number (non-negative)
partition_name (string) Common Name of the partition in which the virtual server resides
dos_attack_name (string) A query DOS Name of attack
dos_attack_id (integer) 1005891899 Unique, non-negative, attack instance ID
dos_attack_event (string) Attack Sampled Status of attack
action (string) None, Drop, Allow Action performed or reported

DNS DoS attack types

This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.

Attack name (RFC) Description Value description
A query DOS (RFC 1035) Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101. Address record
PTR query DOS (RFC 1035) Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. Pointer record
NS query DOS (1035) Delegates a DNS zone to use the given authoritative name servers. Name service record
SOA query DOS (1035) Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. Start of authority record
CNAME query DOS (1035) Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. Canonical name record
MX query DOS (1035) Maps a domain name to a list of message transfer agents for that domain. Mail exchange record
AAAA query DOS (3596) Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. IPv6 address record
TXT query DOS (1035) Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD. Text record
SRV query DOS (2782) Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. Service locator
AXFR query DOS (1035) Request for a transfer of an entire zone. Request
IXFR query DOS (1995) Incremental transfer of records in the zone. Request
ANY query DOS (1035) Request for all records. Request
Malformed DOS Generated by a DNS packet in which one of the fields, for example, opcode, query_type or query_name, contains invalid information.
Malicious DOS Generated by malicious packets, that is, malformed DNS packets with references that are invalid.
Other Query DOS Queries, not listed in this table, which are being used to attack nameservers.

DNS DoS example events

This list contains examples of events you might find in the DNS DoS attack logs.

Example of DNS DoS attack log message in the Syslog format

"Oct 30 2012 10:57:09","192.168.56.179", "ext_big_ip_vm1.test.com", "/Common/vs_172_31_57_177_53_gtm", "/Common/external","A", "bipvm.test.com","192.168.56.171","192.168.57.177","43835","53","0", "A query DOS","1005891899","Attack Sampled","Allow"

BIG-IP system process example events

This list contains examples of events you might find in BIG-IP system logs. Please be aware that system log messages might be truncated, because the UDP protocol cannot send large messages. Note that using the TCP protocol impacts performance.

Example Syslog log entry for the system audit log

This log entry provides confirmation of a successful configuration save.

1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] AUDIT - pid=29639 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=save / sys config partitions all

Example Syslog log entry for the application security log

This log entry provides confirmation of the end of a DoS attack.

Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet broadcast packet, Attack ID 188335952.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)