Manual Chapter : Event Messages and Attack Types

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Analytics

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Link Controller

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP PEM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Event Messages and Attack Types

Fields in ASM Violations event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
unit_hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
http_class_name (string) /Common/topaz4-web4 HTTP policy name
policy_name (string) My security policy Name of the security policy reporting the violation
violations (string) Attack signature detected Violation name
support_id (non-negative integer) 18205860747014045721 Internally-generated integer to assist with client access support
request_status (string) Blocked Action applied to the client request
response_code (non-negative integer) 200 The HTTP response code returned by the back-end server (application). This information is only relevant for requests that are not blocked.
ip_client (IP address) 192.168.5.10 Client source IP address
route_domain (non-negative integer) 0 (zero) Route domain number
method (string) GET HTTP method requested by client
protocol (string) HTTP, HTTPS Protocol name
query_string (string) key1=val1&key2=val2 Query sent by client; query appears in the first line of the HTTP request after the path and the question mark (?)
x_forwarded_for_header_value (string) 192.168.5.10 Value of the XFF HTTP header
sig_ids (positive non-zero integer) 200021069 Signature ID number
sig_names (string) Automated client access %22wget%22 Signature name
date_time (string) 2012-09-19 13:52:29 Data and time in the format: YYYY-MM-DD HH:MM:SS
severity (string) Error Severity category to which the event belongs
attack_type (string) Non-browser client Name of identified attack
geo_location (string) USA/NY Country/city location information
ip_address_intelligence (string) Botnets, Scanners List of IP intelligence categories found for an IP address
username (string) Admin User name for client session
session_id (hexadeicmal number) a9141b68ac7b4958 TCP session ID
src_port (non-negative integer) 52974 Client protocol source port
dest_port (non-negative integer) 80 Requested service listening port number
dest_ip (IP address) 192.168.5.11 Requested service IP address
sub_violations (string) Bad HTTP version, Null in request Comma-separated list of sub-violation strings
virus_name (string) Melissa Virus name
uri (string) / URI requested by client
request (string) GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n Request string sent by client
headers Host: myhost.com; Connection: close Found in request logs
response HTTP/1.1 200 OK Content-type: text/html Content-Length: 7 <html/> HTTP response from server when response logging is configured
violation_details (string) <?xml version='1.0' encoding='UTF-8'?><BAD_MSG><request-violations><violation><viol_index>14</viol_index><viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>65536</http_sanity_checks_status><http_sub_violation_status>65536</http_sub_violation_status><http_sub_violation>SFRUUCB2ZXJzaW9uIG5vdCBmb3VuZA==</http_sub_violation></violation></request-violations></BAD_MSG> Extended information about a violation on a transaction

ASM Violations example events

This list contains examples of events you might find in ASM logs.

Examples of ASM log messages in the ArcSight CEF format

<134>Sep 19 13:35:00 bigip-4.pme-ds.f5.com 
ASM:CEF:0|F5|ASM|11.3.0|Successful Request|Successful Request|2|
dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4
cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name
deviceCustomDate1=Sep 19 2012 11:38:36 
deviceCustomDate1Label=policy_apply_date
externalId=18205860747014045699 act=passed cn1=200 cn1Label=response_code
src=10.4.1.101 spt=52963 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP 
cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:35:00 
deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A 
cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= 
c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A 
c6a4Label=ip_address_intelligence msg=N/A
suid=2e769a9e1ea8b777 suser=N/A request=/ cs3Label=full_request 
cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: 
*/*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
<131>Sep 19 13:53:34 bigip-4.pme-ds.f5.com
ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access
"wget"|5|dvchost=bigip-4.pme-ds.f5.com dvc=172.16.73.34 cs1=topaz4-web4
cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name
deviceCustomDate1=Sep 19 2012 13:49:25 
deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 
act=blocked cn1=0 cn1Label=response_code src=10.4.1.101 spt=52975 
dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A 
cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 
deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A 
cs6Label=geo_location c6a1= c6a1Label=device_address 
c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address 
c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A
suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET /
HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: */*\r\nHost:
10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n

Example of ASM log message in the Remote Server format

<134>Sep 19 13:42:41 bigip-4.pme-ds.f5.com ASM:"",
"2012-09-19 13:42:40","10.4.1.200","80","N/A","/Common/topaz4-web4"
"N/A","10.4.1.101","10.4.1.101%0","172.16.73.34","GET",
"2012-09-19 11:38:36","topaz4-web4","HTTP","",
"GET / HTTP/1.0\r\nUser-Agent: Wget/1.12(linux-gnu)\r\nAccept: */*\r\nHost: 
10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n","passed",
"Response logging disabled","200","0","7514e0ee8f0eb493","Informational",
"","","52965","","18205860747014045703","bigip-4.pme-ds.f5.com","/","N/A",
"<?xml version='1.0' encoding='UTF-8'?><BAD_MSG>
<request-violations><violation><viol_index>42</viol_index>
<viol_name>VIOL_ATTACK_SIGNATURE</viol_name>
<context>request</context><sig_data>
<sig_id>200021069</sig_id><blocking_mask>4</blocking_mask>
<kw_data><buffer>VXNlci1BZ2VudDogV2dldC8xLjEyIChsaW51eC1nbn
;UpDQpBY2NlcHQ6ICovKg0KSG9zdDogMTAuNC4xLjIwMA0KQ29
ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=</buffer>
<offset>0</offset><length>16</length></kw_data>
</sig_data></violation></request-violations>
</BAD_MSG>","","N/A","N/A"

Example of ASM log message in the Remote Syslog format

23003140

Examples of ASM log messages in the Reporting Server format

<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
violations="",support_id="18205860747014045701",request_status="passed",
response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="",sig_names="",date_time="2012-09-19 13:40:26",
severity="Informational",attack_type="",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",
session_id="98630496c8413322",src_port="52964",dest_port="80",
dest_ip="10.4.1.200",sub_violations="",virus_name="N/A",uri="/",
request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: 
*/*\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n"
<134>Sep 19 13:40:27 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 11:38:36",
violations="",support_id="18205860747014045701",request_status="passed",
response_code="200",ip_client="10.4.1.101",route_domain="0",method="GET",
protocol="HTTP",query_string="",x_forwarded_for_header_value="N/A",
sig_ids="",sig_names="",date_time="2012-09-19 13:40:26",
severity="Informational",attack_type="",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="98630496c8413322",
src_port="52964",dest_port="80",dest_ip="10.4.1.200",sub_violations="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 
(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: 
Keep-Alive\r\n\r\n"
<131>Sep 19 13:52:30 bigip-4.pme-ds.f5.com
ASM:unit_hostname="bigip-4.pme-ds.f5.com",
management_ip_address="172.16.73.34",http_class_name="/Common/topaz4-web4",
policy_name="topaz4-web4",policy_apply_date="2012-09-19 13:49:25",
violations="Attack signature detected",support_id="18205860747014045721",
request_status="blocked",response_code="0",ip_client="10.4.1.101",
route_domain="0",method="GET",protocol="HTTP",query_string="",
x_forwarded_for_header_value="N/A",sig_ids="200021069",
sig_names="Automated client access %22wget%22",
date_time="2012-09-19 13:52:29",severity="Error",
attack_type="Non-browser Client",geo_location="N/A",
ip_address_intelligence="N/A",username="N/A",session_id="a9141b68ac7b4958",
src_port="52974",dest_port="80",dest_ip="10.4.1.200",sub_violations="",
virus_name="N/A",uri="/",request="GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 
(linux-gnu)\r\nAccept: */*\r\nHost: 10.4.1.200\r\nConnection: 
Keep-Alive\r\n\r\n"

Fields in ASM Brute Force and Web Scraping event messages

This table lists the fields contained in event messages that might display in ASM logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
act (string) Alerted or Blocked Action taken in response to attack
anomaly_attack_type (string) DoS attack or Brute Force attack Type of attack
attack_id (integer) 12345678 Unique identifier of an attack
attack_status (string) Started, Ended, or Ongoing Status of an attack
current_mitigation (string) Source IP-based client-side integrity defense, URL-based client-side integrity defense, Source IP-based rate limiting, URL-based rate limiting, or Transparent How the attack is being mitigated
date_time (string) 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 Current date and time in format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
detection_average (integer) 400 Historical average of TPS, latency, or failed logins
detection_mode (string) For DoS Attacks: TPS Increased or Latency Increased; For Brute Force Attacks: Number of Failed Logins Increased How the attack was detected
dropped_requests (integer) 10000 Number of dropped requests
dvc (IP address) 192.168.1.246 BIG-IP system management IP address
dvchost (string) bigip-4.asm-ds.f5.com BIG-IP system host name
geo_location (string) USA/NY Country/city location information
ip_list (IP addresses) 192.168.5.10:ny, ny, usa:150 Comma-delineated list of attacker IP addresses in the format: client_ip_addr:geo_location:drops_counter
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
operation_mode (string) Transparent or Blocking Current operation mode in the security policy
policy_apply_date 2012-11-07 06:53:06, or for Arcsight: Nov 07 2012 06:53:50 The date and time the policy was last applied in the format: YYYY-MM-DD HH:MM:SS, or for ArcSight: MMM DD YYYY HH:MM:SS
policy_name (string) My policy Name of current active policy reporting the violation
request (URL) www.siterequest.com Login URL attacked by Brute Force attack
rt (string) Nov 07 2012 06:53:50 Current date and time in the format: MMM DD YYYY HH:MM:SS
severity (string) Emergency Severity category for attacks is always: Emergency
source_ip (IP address) 192.168.4.1:ny, ny, usa:150000 IP address from which the attack originates in the format: client_ip_addr:geo_location:drops_counter
src (IP address) 192.168.4.1 IP address from which the attack originates
unit_hostname (string) bigip-4.asm-ds.f5.com BIG-IP system FQDN
uri (string) / Login URL that was subject to a Brute Force attack
url_list (URLs) 192.168.50.1:sf, ca, usa:200 Comma-delineated list of attacked URLs in the format: client_ip_addr:geo_location:drops_counter
violation_counter (integer) 100 Number of violations
web_application_name My PTO Name of the web application in which the violation occurred

ASM Anomaly example events

This list contains examples of events you might find in ASM logs.

Example of ASM Anomaly log messages in the ArcSight CEF format
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status request=%s src=%s cs6=%s cs6Label=geo_location cs5=%s cs5Label=detection_mode rt=%s cn1=%d cn1Label=detection_average cn2=%llu cn2Label=dropped_requests
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location cn2=%llu cn2Label=dropped_requests rt=%s
CEF:0 |F5|%s|%s|%s|%s|%d| dvchost=%s dvc=%s cs1=%s cs1Label=policy_name cs2=%s cs2Label=web_application_name deviceCustomDate1=%s deviceCustomDate1Label=policy_apply_date act=%s cn3=%llu cn3Label=attack_id cs4=%s cs4Label=attack_status src=%s cs6=%s cs6Label=geo_location rt=%s cn2=%llu cn2Label=dropped_requests cn4=%u cn4Label=violation_counter
Example of ASM Anomaly log messages in the Reporting Server format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s",anomaly_attack_type="%s",uri="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", detection_mode="%s", detection_average="%ld",current_mitigation="%s",ip_list="%s",url_list="%s", date_time="%s",severity="%s"
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s",policy_apply_date="%s", anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu",date_time="%s",severity="%s"
Example of ASM Anomaly log message in the Web Scraping format
unit_hostname="%s",management_ip_address="%s",web_application_name="%s", policy_name="%s" policy_apply_date="%s",anomaly_attack_type="%s", attack_id="%llu",attack_status="%s",operation_mode="%s", source_ip="%s:%s:%llu:%u",date_time="%s",severity="%s"

Fields in AFM event messages

This table lists the fields that are contained in event messages that might display in AFM logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
acl_rule_name (string) Non-browser client Name of ACL rule
action (string) Accept, Accept decisively, Drop, Reject, Established, Closed Action performed
hostname (string) FQDN BIG-IP system FQDN
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
context_name (string) /Common/topaz3-web3 Name of the object to which the rule applies
context_type (string) Global, Route Domain, Virtual Server, Self IP address, or Management port Category of the object to which the rule applies
date_time (string) 01 11 2012 13:11:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address) 192.168.3.1 Destination IP address
dest_port (integer) 80 Protocol port number
device_product (string) Advanced Firewall Module Name of BIG-IP system generating the event message
device_vendor (string) F5 F5 static keyword
device_version (string) 11.3.0.2012.0 BIG-IP system software version in the format version.point_release.0.yyyy.0
drop_reason (string) (empty), <name of error>, Policy

Reason action performed.

errdefs_msgno (integer) 23003137 Event number
errdefs_msg_name (string) Network event Event name
ip_protocol (string) TCP, UDP, ICMP Name of protocol
severity (integer) 8 Level of the event by number
partition_name (string) Common Name of the partition or folder in which the object resides
route_domain (integer) 1 Route domain number (non-negative)
src_ip (IP address) 192.168.3.1 Source IP address
src_port (integer) 80 Protocol port number (non-negative)
vlan (string) External VLAN interface name

AFM example events

This list contains examples of events you might find in AFM logs.

Examples of AFM log messages in the ArcSight CEF format
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=39321 dst=10.3.1.200 dpt=443 proto=TCP cs1=/Common/topaz3-all3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Accept c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=allow_https cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Open c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2095.0|23003137|Network Event|8|rt=Oct 04 2012 13:15:29 dvchost=bigip-3.pme-ds.f5.com dvc=192.168.73.33 src=10.3.1.101 spt=52799 dst=10.3.1.200 dpt=80 proto=TCP cs1=/Common/topaz3-web3 cs1Label=virtual_name cs2=/Common/external cs2Label=vlan act=Closed c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5= cs5Label=acl_rule_name
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|23003137|Network Event|8|rt=Nov 08 2012 18:35:15 dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 src= spt=20 dst= dpt=80 proto=TCP cs1= cs1Label=Global cs2=/Common/VLAN10 cs2Label=vlan act=Accept c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address cs3= cs3Label=drop_reason cn4=0 cn4Label=route_domain cs5=TCP cs5Label=acl_rule_name
Examples of AFM log messages in the Reporting Server format
acl_rule_name="allow_http",action="Accept",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-web3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="52807",vlan="/Common/external"
acl_rule_name="",action="Open",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"
acl_rule_name="",action="Closed",hostname="bigip-3.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.33",context_name="/Common/topaz3-all3",context_type="Virtual Server",date_time="Oct 04 2012 13:18:04",dest_ip="10.3.1.200",dest_port="443",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2095.0",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="10.3.1.101",source_port="39329",vlan="/Common/external"
Examples of AFM log messages in the Splunk format
acl_rule_name="TCP",action="Accept",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",context_type="Global",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
acl_rule_name="",action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="/Common/vs10_TCP_IPv6",context_type="Virtual Server",date_time="Nov 08 2012 18:38:18",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",drop_reason="Bad TCP checksum",errdefs_msgno="23003137",errdefs_msg_name="Network Event",ip_protocol="TCP",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
Example of AFM log message in the Syslog format
23003137 [F5@12276 acl_rule_name="TCP" action="Accept" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" context_type="Global" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 [F5@12276 acl_rule_name="" action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="/Common/vs10_TCP_IPv6" context_type="Virtual Server" date_time="Nov 08 2012 18:42:49" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" drop_reason="Bad TCP checksum" errdefs_msgno="23003137" errdefs_msg_name="Network Event" ip_protocol="TCP" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"
Example of AFM log message in the Syslog BSD format
23003137 "192.168.69.176","asm176.labt.ts.example.com","Global","","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","TCP","Accept",""
23003137 "192.168.69.176","asm176.labt.ts.example.com","Virtual Server","/Common/vs10_TCP_IPv6","fc55::99","fc55::3","20","80","/Common/VLAN10","TCP","0","","Drop","Bad TCP checksum"
Example of AFM log message in the Syslog Legacy F5 format
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 allow_dns-tcp,Accept,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,2607,,192.168.73.33,TCP,0,10.3.1.101,47910,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Open,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external
Oct 04 11:20:15 bigip-3.pme-ds.f5.com tmm[18691]: 23003137 ,Closed,bigip-3.pme-ds.f5.com,/Common/topaz3-all3,Virtual Server,Oct 04 2012 11:20:15,10.3.1.200,1666,,192.168.73.33,TCP,0,10.3.1.101,36388,/Common/external

Fields in Network DoS Protection event messages

This table lists the fields that are contained in event messages that might display in the DoS Protection logs. The fields are listed in alphabetical order by field name.

Field name and type Example value Description
action (string) Allow, Drop, None Action performed or reported
hostname (string) FQDN BIG-IP system FQDN
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
date_time (string) 01 11 2012 13:11:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
dest_ip (IP address) 192.168.3.1 Destination IP address
dest_port (integer) 80 Protocol port number (non-negative)
device_product (string) Advanced Firewall Module Name of BIG-IP system generating the event message
device_vendor (string) F5 F5 static keyword
device_version (string) 11.3.0.2012.0 BIG-IP system software version in the format mm.dd.0.yyyy.0
dos_attack_event (string) Attack started, Attack Sampled, Attack Stopped Attack instances start and stop events
dos_attack_id (string) 2760296639 Unique, non-negative, attack ID
dos_attack_name (string) ICMP Flood, Bad TCP checksum Network DoS event
errdefs_msgno (integer) 23003138 Static number
errdefs_msg_name (string) Network DoS event Static keyword
severity (integer) 8 Event severity value (non-negative integer)
partition_name (string) Common Name of the partition in which the virtual server resides
route_domain (integer) 1 Route domain number (non-negative)
src_ip (IP address) 192.168.3.1 Source IP address
src_port (integer) 80 Protocol port number (non-negative)
vlan (string) External Name of the VLAN interface

Device DoS attack types

This table lists device DoS attacks, and provides a short description and relevant information. The attack types are listed in alphabetical order by attack name.

DoS Category Attack Name Dos Vector Name Information
Bad Header - DNS DNS Oversize dns-oversize Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value , where value is 256-8192.
Bad Header - ICMP Bad ICMP Checksum bad-icmp-chksum An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet
  Bad ICMP Frame bad-icmp-frame The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6 types.
Valid IPv4 types:
  • 0 Echo Reply
  • 3 Destination Unreachable
  • 4 Source Quench
  • 5 Redirect
  • 8 Echo
  • 11 Time Exceeded
  • 12 Parameter Problem
  • 13 Timestamp
  • 14 Timestamp Reply
  • 15 Information Request
  • 16 Information Reply
  • 17 Address Mask Request
  • 18 Address Mask Reply
Valid IPv6 types:
  • 1 Destination Unreachable
  • 2 Packet Too Big
  • 3 Time Exceeded
  • 4 Parameter Problem
  • 128 Echo Request
  • 129 Echo Reply
  • 130 Membership Query
  • 131 Membership Report
  • 132 Membership Reduction
  ICMP Frame Too Large icmp-frame-too-large The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value , where value is <=65515.
Bad Header - IGMP Bad IGMP Frame bad-igmp-frame IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad.
Bad Header - IPv4 Bad IP TTL Value bad-ttl-val Time-to-live equals zero for an IPv4 address.
  Bad IP Version bad-ver The IPv4 address version in the IP header is not 4.
  Header Length > L2 Length hdr-len-gt-l2-len No room in layer 2 packet for IP header (including options) for IPv4 address
  Header Length Too Short hdr-len-too-short IPv4 header length is less than 20 bytes
  Bad Source ip-bad-src The IPv4 source IP = 255.255.255.255 or 0xe0000000U
  IP Error Checksum ip-err-chksum The header checksum is not correct
  IP Length > L2 Length ip-len-gt-l2-len Total length in IPv4 address header or payload length in IPv6 address header is greater than the layer 3 length in a layer 2 packet
  TTL <= <tunable> ttl-leq-one An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value , where value is 1-4.
  IP Option Frames ip-opt-frames IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options
  IP Option Illegal Length   Option present with illegal length
  L2 Length >> IP Length l2-len-ggt-ip-len Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size
  No L4 no-l4 No layer 4 payload for IPv4 address
  Unknown Option Type unk-ipopt-type Unknown IP option type
Bad Header - IPv6 IPv6 extended headers wrong order bad-ext-hdr-order Extension headers in the IPv6 header are in the wrong order
  Bad IPV6 Hop Count bad-ipv6-hop-cnt Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad.
  Bad IPV6 Version bad-ipv6-ver The IPv6 address version in the IP header is not 6
  IPv6 duplicate extension headers dup-ext-hdr An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header.
  IPv6 extension header too large ext-hdr-too-large An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value , where value is 0-1024.
  IPv6 hop count <= <tunable> hop-cnt-leq-one The IPv6 extended header hop count is less than or equal to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value , where value is 1-4.
  Bad IPv6 source ipv6-bad-src IPv6 source IP = 0xff00::
  IPV6 Extended Header Frames ipv6-ext-hdr-frames IPv6 address contains extended header frames
  IPV6 Length > L2 Length ipv6-len-gt-l2-len IPv6 address length is greater than the layer 2 length
  IPV6 Source Address == Destination Address   IPv6 packet source address is the same as the destination address
  No L4 (Extended Headers Go To Or Past End of Frame) l4-ext-hdrs-go-end Extended headers go to the end or past the end of the L4 frame
  Payload Length < L2 Length payload-len-ls-l2-len Specified IPv6 payload length is less than the L2 packet length
  Too Many Extended Headers too-many-ext-hdrs For an IPv6 address, there are more than <tunable> extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value , where value is 0-15.
Bad Header - L2 Ethernet MAC Source Address == Destination Address ether-mac-sa-eq-da Ethernet MAC source address equals the destination address.
Bad Header - TCP Bad TCP Checksum bad-tcp-chksum The TCP checksum does not match
  Bad TCP Flags (All Cleared) bad-tcp-flags-all-clr Bad TCP flags (all cleared and SEQ#=0)
  Bad TCP Flags (All Flags Set) bad-tcp-flags-all-set Bad TCP flags (all flags set)
  FIN Only Set fin-only-set Bad TCP flags (only FIN is set)
  Option Present With Illegal Length opt-present-with-illegal-len Option present with illegal length
  SYN && FIN Set syn-and-fin-set Bad TCP flags (SYN and FIN set)
  TCP Flags - Bad URG tcp-bad-urg Packet contains a bad URG flag, this is likely malicious
  TCP Header Length > L2 Length tcp-hdr-len-gt-l2-len  
  TCP Header Length Too Short (Length < 5) tcp-hdr-len-too-short The Data Offset value in the TCP header is less than five 32-bit words
  TCP Option Overruns TCP Header tcp-opt-overruns-tcp-hdr The TCP option bits overrun the TCP header.
  Unknown TCP Option Type unk-tcp-opt-type Unknown TCP option type
Bad Header - UDP Bad UDP Checksum bad-udp-chksum The UDP checksum is not correct
  Bad UDP Header (UDP Length > IP Length or L2 Length) bad-udp-hdr UDP length is greater than IP length or layer 2 length
DNS DNS AAAA Query dns-aaaa-query UDP packet, DNS Qtype is AAAA, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS Any Query dns-any-query UDP packet, DNS Qtype is ANY_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS AXFR Query dns-axfr-query UDP packet, DNS Qtype is AXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS A Query dns-a-query UDP packet, DNS Qtype is A_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS CNAME Query dns-cname-query UDP DNS query, DNS Qtype is CNAME, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS IXFR Query dns-ixfr-query UDP DNS query, DNS Qtype is IXFR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS Malformed dns-malformed Malformed DNS packet
  DNS MX Query dns-mx-query UDP DNS query, DNS Qtype is MX, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS NS Query dns-ns-query UDP DNS query, DNS Qtype is NS, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS OTHER Query dns-other-query UDP DNS query, DNS Qtype is OTHER, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS PTR Query dns-ptr-query UDP DNS query, DNS Qtype is PTR, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS QDCount Limit dns-qdcount-limit UDP packet, DNS qdcount neq 1, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS Response Flood dns-response-flood UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.;
  DNS SOA Query dns-soa-query UDP packet, DNS Qtype is SOA_QRY, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS SRV Query dns-srv-query UDP packet, DNS Qtype is SRV, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
  DNS TXT Query dns-txt-query UDP packet, DNS Qtype is TXT, VLAN is <tunable>. To tune this value, in tmsh: modify sys db dos.dnsvlan value , where value is 0-4094.
Flood ARP Flood arp-flood ARP packet flood
  Ethernet Broadcast Packet ether-brdcst-pkt Ethernet broadcast packet flood
  Ethernet Multicast Packet ether-multicst-pkt Ethernet destination is not broadcast, but is multicast
  ICMPv4 Flood icmpv4-flood Flood with ICMP v4 packets
  ICMPv6 Flood icmpv6-flood Flood with ICMP v6 packets
  IGMP Flood igmp-flood Flood with IGMP packets (IPv4 packets with IP protocol number 2)
  IGMP Fragment Flood igmp-frag-flood Fragmented packet flood with IGMP protocol
  IPv4 Fragment Flood ip-frag-flood Fragmented packet flood with IPv4
  IPv6 Fragment Flood ipv6-frag-flood Fragmented packet flood with IPv6
  Routing Header Type 0 routing-header-type-0 Routing header type zero is present in flood packets
  TCP BADACK Flood tcp-ack-flood TCP ACK packet flood
  TCP RST Flood tcp-rst-flood TCP RST flood
  TCP SYN ACK Flood tcp-synack-flood TCP SYN/ACK flood
  TCP SYN Flood tcp-syn-flood TCP SYN flood
  TCP Window Size tcp-window-size The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value , where value is <=128.
  UDP Flood udp-flood UDP flood attack
Fragmentation ICMP Fragment icmp-frag ICMP fragment flood
  IPV6 Atomic Fragment ipv6-atomic-frag

IPv6 Frag header present with M=0 and FragOffset =0

  IPV6 Fragment Error ipv6-other-frag Other IPv6 fragment error
  IPv6 Fragment Overlap ipv6-overlap-frag IPv6 overlapping fragment error
  IPv6 Fragmentat Too Small ipv6-short-frag IPv6 short fragment error
  IP Fragment Error ip-other-frag Other IPv4 fragment error
  IP Fragment Overlap ip-overlap-frag IPv4 overlapping fragment error
  IP Fragment Too Small ip-short-frag IPv4 short fragment error
Single Endpoint Single Endpoint Flood flood Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting
  Single Endpoint Sweep sweep Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting
SIP SIP ACK Method sip-ack-method SIP ACK packets
  SIP BYE Method sip-bye-method SIP BYE packets
  SIP CANCEL Method sip-cancel-method SIP CANCEL packets
  SIP INVITE Method sip-invite-method SIP INVITE packets
  SIP Malformed sip-malformed Malformed SIP packets
  SIP MESSAGE Method sip-message-method SIP MESSAGE packets
  SIP NOTIFY Method sip-notify-method SIP NOTIFY packets
  SIP OPTIONS Method sip-options-method SIP OPTIONS packets
  SIP OTHER Method sip-other-method SIP OTHER packets
  SIP PRACK Method sip-prack-method SIP PRACK packets
  SIP PUBLISH Method sip-publish-method SIP PUBLISH packets
  SIP REGISTER Method sip-register-method SIP REGISTER packets
  SIP SUBSCRIBE Method sip-subscribe-method SIP SUBSCRIBE packets
Other Host Unreachable host-unreachable Host unreachable error
  LAND Attack land-attack Spoofed TCP SYN packet attack
  TIDCMP tidcmp ICMP source quench attack

Network DoS Protection example events

This list contains examples of events you might find in Network (layer 2 - 4) DoS Protection logs.

Example of Network DOS Protection log message in the ArcSight format
CEF:0|F5|Advanced Firewall Module|11.3.0.2790.300|Bad TCP checksum|Drop|8|dvchost=asm176.labt.ts.example.com dvc=192.168.69.176 rt=Nov 08 2012 17:58:02 act=Drop cn1=3083822789 cn1Label=attack_id cs1=Attack Sampled cs1Label=attack_status src= spt=20 dst= dpt=80 cs2=/Common/VLAN10 cs2Label=vlan cs3= cs3Label=virtual_name cn4=0 cn4Label=route_domain c6a2=fc55::99 c6a2Label=source_address c6a3=fc55::3 c6a3Label=destination_address
Example of Network DoS Protection log message in the Remote Syslog format
"Nov 06 2012 02:17:27","192.168.69.245","asm245.labt.ts.example.com","","10.10.10.2","10.10.10.200","20","80","0","/Common/vlan1","Bad TCP checksum","3044184075","Attack Sampled","Drop"
Examples of Network DoS Protection log messages in Reporting Server format
Oct 30 13:59:38 192.168.57.163 action="None",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:43",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Started",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan=""
Oct 30 13:59:38 192.168.57.163 action="Drop",hostname="bigip-7.pme-ds.f5.com",bigip_mgmt_ip="192.168.73.18",date_time="Sep 20 2012 15:30:44",dest_ip="",dest_port="",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.1910.0",dos_attack_event="Attack Sampled",dos_attack_id="2760296639",dos_attack_name="Ethernet broadcast packet",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="",source_ip="",source_port="",vlan="/Common/external"
Example of Network DoS Protection log message in the Splunk format
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip="192.168.32.22%0"
action="Blocking",hostname="bigip1",bigip_mgmt_ip="192.168.36.157",client_ip_geo_location="N/A",client_request_uri="/short.txt",configuration_date_time="Nov 01 2012 04:39:57",context_name="/Common/vs_159",context_type="Virtual Server",date_time="Nov 01 2012 05:01:40",device_product="ASM",device_vendor="F5",device_version="11.3.0",dos_attack_detection_mode="TPS Increased",dos_attack_event="Attack ongoing",dos_attack_id="3131200721",dos_attack_name="DOS L7 attack",dos_attack_tps="0 tps",dos_dropped_requests_count="487",dos_mitigation_action="Source IP-Based Rate Limiting",errdefs_msgno="23003140",errdefs_msg_name="Application DoS Event",severity="7",partition_name="Common",profile_name="/Common/dos_orna",source_ip=""
action="Drop",hostname="asm176.labt.ts.example.com",bigip_mgmt_ip="192.168.69.176",context_name="",date_time="Nov 08 2012 17:58:46",dest_ip="fc55::3",dest_port="80",device_product="Advanced Firewall Module",device_vendor="F5",device_version="11.3.0.2790.300",dos_attack_event="Attack Sampled",dos_attack_id="3083822789",dos_attack_name="Bad TCP checksum",errdefs_msgno="23003138",errdefs_msg_name="Network DoS Event",severity="8",partition_name="Common",route_domain="0",source_ip="fc55::99",source_port="20",vlan="/Common/VLAN10"
Example of Network DoS Protection log message in the Syslog format
23003138 [F5@12276 action="Drop" hostname="asm176.labt.ts.example.com" bigip_mgmt_ip="192.168.69.176" context_name="" date_time="Nov 08 2012 18:26:02" dest_ip="fc55::3" dest_port="80" device_product="Advanced Firewall Module" device_vendor="F5" device_version="11.3.0.2790.300" dos_attack_event="Attack Sampled" dos_attack_id="1493601923" dos_attack_name="Bad TCP checksum" errdefs_msgno="23003138" errdefs_msg_name="Network DoS Event" severity="8" partition_name="Common" route_domain="0" source_ip="fc55::99" source_port="20" vlan="/Common/VLAN10"] "Nov 08 2012 18:26:02","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"
Example of Network DoS Protection log message in the Syslog F5 format
23003138 "Nov 08 2012 18:23:14","192.168.69.176","asm176.labt.ts.example.com","","fc55::99","fc55::3","20","80","0","/Common/VLAN10","Bad TCP checksum","1493601923","Attack Sampled","Drop"

Fields in Protocol Security event messages

This table lists the fields that are contained in event messages that might display in the Protocol Security logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
date_time (string) 110513:11:10 Date and time the event occurred in this format: MMM DD HH:MM:SS
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
PSM: (string) PME:keword Static value keyword
protocol (string) FTP, SMPTP, HTTP, DNS Protocol name
ip_client (IP address) 192.168.5.10 Client source IP address
dest_ip (IP address) 192.168.3.1 Destination IP address
vs_name (string) Common/my_vs Reporting virtual server name and partition
policy_name (string) My security policy Name of the security policy reporting the violatio
violations (string) Active mode Violation name
virus_name (string) <name of virus> Virus name
management_ip_address (IP address) 192.168.1.246 BIG-IP system management IP address
unit_hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
request_status (string) Blocked Action applied to the client request
dest_port (integer) 80 Protocol port number (non-negative)
src_port (integer) 80 Protocol port number (non-negative)
route_domain (integer) 1 Route domain number (non-negative)
geo_location (string) NY, NY, USA City, state, country location information
violation_details (string) port/sendport 10,3,0,33,42,88 Violation description and the values passed

Protocol Security example events

This list contains examples of events you might find in the Protocol Security logs.

Example of Protocol Security log message in the ArcSight format
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|Active mode|Active mode|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=port/sendport 10,3,0,33,7,223 cs3Label=violation_details msg=N/A
Oct 5 11:49:13 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=nlist/mls cs3Label=violation_details msg=N/A
Oct 5 11:49:23 bigip-3.pme-ds.f5.com PSM:CEF:0|F5|PSM|11.3.0|FTP commands|FTP commands|5|app=FTP src=10.3.1.104 spt=1394 dst=10.3.1.204 dpt=21 cs1=ftp_security cs1Label=policy_name cs2=/Common/FTP-3 cs2Label=vs_name dvc=192.168.73.33 dvchost=bigip-3.pme-ds.f5.com act=alerted cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address cs3=pwd cs3Label=violation_details msg=N/A
Example of Protocol Security log message in the Remote Server format
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="Active mode",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="port/sendport 10,3,0,33,42,88"
Oct 5 11:55:18 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="list/dir/mdir"
Oct 5 11:55:23 bigip-3.pme-ds.f5.com PSM:protocol="FTP",ip_client="10.3.1.104",dest_ip="10.3.1.204",vs_name="/Common/FTP-3", policy_name="ftp_security",violations="FTP commands",virus_name="N/A", management_ip_address="192.168.73.33",unit_hostname="bigip-3.pme-ds.f5.com", request_status="alerted",dest_port="21",src_port="1397",route_domain="0",geo_location="N/A", violation_details="pwd"
Example of Protocol Security log message in the Syslog format
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","port/sendport 10,3,0,33,42,22"
Oct 5 11:37:14 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","nlist/mls"
Oct 5 11:37:23 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1355","0","N/A","cwd .."
Example of Protocol Security log message in the Syslog BSD format
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","port/sendport 10,3,0,33,7,217"
Oct 5 11:46:26 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1388","0","N/A","nlist/mls"
Example of Protocol Security log message in the Syslog legacy format
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","Active mode","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","port/sendport 10,3,0,33,7,197"
Oct 5 11:43:01 bigip-3.pme-ds.f5.com PSM:"FTP","10.3.1.104","10.3.1.204","/Common/FTP-3","ftp_security","FTP commands","N/A","192.168.73.33","bigip-3.pme-ds.f5.com","alerted","21","1370","0","N/A","nlist/mls"

Fields in DNS event messages

This table lists the fields that are contained in event messages that might display in the DNS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
errdefs_msgno (integer) 23003141 Static number 23003141
date_time (string) 11 13 2012 12:12:10 Date and time the event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
context_name (string) /Common/vs1_udp Partition in which the virtual server resides and name of virtual server
vlan (string) External Name of the VLAN interface
query_type (string) A Type of DNS query causing the attack
dns_query_name (string) siterequest.com Name being queried
partition_name (string) Common Name of the partition in which the virtual server resides
attack_type (string) CNAME DNS query causing the attack
action (string) None, Drop, Allow Action performed or reported
src_ip (IP address) 192.168.3.1 Source IP address
dest_ip (IP address) 192.168.3.2 Destination IP address
src_port (integer) 80 Protocol port number (non-negative)
dest_port (integer) 80 Protocol port number (non-negative)
route_domain (integer) 1 Route domain number (non-negative)

DNS attack types

This table lists DNS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name. These attacks are the DNS queries that a client can request. If the requests are received at a high rate and exceed the configured watermark they generate a DNS DoS event

Attack name (RFC number) Description
a6 (1035) Returns a 32-bit IPv4 IP address record
aaaa (3596) Returns a 128-bit IPv6 address record
afsdb (1183) Location of database servers of an AFS database record record
any (1035) Returns all cached records of all types
atma ATM address
axfr (1035) Authoritative zone transfer
cert (4398) Stores PKIX, SPKI, and PGP certificate record
cname (1035) Alias of one name to another (canonical name record)
dname (2672) DNAME (delegation name) creates an alias for a name and all its subnames
eid Endpoint identifier
gpos (1712) Geographical position (state, country)
hinfo (1035) Host information
isdn (1183) ISDN address
ixfr (1996) Incrementatl zone transfer
key (2535, 2930) Used only for SIG(0) (RFC 2931) and TKEY (RFC 2930).[5] key records
kx (2535, 2930) Key exchange record identifies a key management agent for the associated domain-name (not associated with DNSSEC)
loc (1876) Location record
maila (1035) Request for mail agent resource records
mailb (1035) Mailbox or mail list information (MINFO)
mb (1035) Mailbox domain name
md Mail destination
mf (1035) Mail forwarder
mg (1035) Mail group member
minfo (1035) Mailbox or mail list information
mr (1035) Mail rename domain name
mx (1035) Mail exchange record
naptr (3403) Naming authority pointer
nimloc (1002) Nimrod locator
ns (1035) Nameserver record
nsap (1706) NSAP style A record
nsap-ptr (1348) NSAP style domain name pointer
null (1035) Null resource record
nxt (2535) Next domain
opt (2671) Pseudo DNS record type that supports EDNS
ptr (1035) Pointer to a canonical name
px (2163) X.400 mail mapping information
rp (1183) Contact information for the person(s) responsible for the domain
rt (1183) Route through
sg (2535) Signature record
sink DNS sinkhole
soa (1035) Start of authority record
srv (2782) Service locator record
tkey (2930) Secret key record
tsig (2845) Transaction signature that authenticates dynamic updates as coming from an approved client, or authenticates responses as coming from an approved recursive name server
txt (1035) Text record
wks Sender Policy Framework, DKIM, and DMARC DNS-SD
x25 (1183) X.25 PSDN address
zxfr Compressed zone transfer

DNS example events

This list contains examples of events you might find in the DNS logs.

Example of DNS log message in the ArcSight CEF format
Oct 12 13:35:47 10.3.0.33 CEF:0|F5|Advanced Firewall Module|11.3.0.2206.0|23003139|DNS Event|8|rt=Oct 12 2012 13:29:24 dvchost=bigip-3.pme-ds.f5.com dvc=192.68.73.33 src=10.3.1.104 spt=54629 dst=10.3.1.202 dpt=53 cs1=/Common/DNS-3-udp-vs cs1Label=virtual_name cs2=/Common/external cs2Label=vlan cs3=SRV cs3Label=query_type act=Drop cs4=_ldap._tcp.dc._msdcs.siterequest.com cs4Label=query_name cs5=query opcode cs5Label=attack_type c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address
Example of DNS log message in the Reporting Server format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"
Example of DNS log message in the Syslog format
"Oct 26 2012 06:23:13","192.168.69.245","asm245.labt.ts.example.com","/Common/vs2_udp","/Common/vlan1","A","domain1.local","A","Drop","10.10.10.2","10.10.10.251","4000","53","0"

Fields in DNS DoS event messages

This table lists the fields that are contained in event messages that might display in the Network DNS DoS logs. The fields are listed in the order in which they appear in a message in the log.

Field name and type Example value Description
errdefs_msgno (integer) 23003141 Static number
errdefs_msg_name (string) DNS DoS Event Name of event
date_time (string) 11 13 2012 12:12:10 Date and time event occurred in this format: MMM DD YYYY HH:MM:SS
bigip_mgmt_ip (IP address) 192.168.1.246 BIG-IP system management IP address
hostname (string) bigip-4.pme-ds.f5.com BIG-IP system FQDN
context_name (string) /Common/vs1_udp Partition in which the virtual server resides and name of virtual server
vlan (string) External Name of VLAN interface
dns_query_type (string) A Type of DNS query causing the attack
dns_query_name (string) f5.com Name being queried
src_ip (IP address) 192.168.3.1 Source IP address
dest_ip (IP address) 192.168.3.1 Destination IP address
src_port (integer) 80 Protocol port number (non-negative)
dest_port (integer) 80 Protocol port number (non-negative)
partition_name (string) Common Name of the partition in which the virtual server resides
dos_attack_name (string) A query DOS Name of attack
dos_attack_id (integer) 1005891899 Unique, non-negative, attack instance ID
dos_attack_event (string) Attack Sampled Status of attack
action (string) None, Drop, Allow Action performed or reported

DNS DoS attack types

This table lists DNS DoS attack types and provides a short description and classification. The attack types are listed in alphabetical order by attack name.

Attack name (RFC) Description Value description
A query DOS (RFC 1035) Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101. Address record
PTR query DOS (RFC 1035) Pointer to a canonical name. Unlike a CNAME, DNS processing does not proceed, and only the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as DNS-SD. Pointer record
NS query DOS (1035) Delegates a DNS zone to use the given authoritative name servers. Name service record
SOA query DOS (1035) Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. Start of authority record
CNAME query DOS (1035) Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. Canonical name record
MX query DOS (1035) Maps a domain name to a list of message transfer agents for that domain. Mail exchange record
AAAA query DOS (3596) Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host. IPv6 address record
TXT query DOS (1035) Originally for arbitrary human-readable text in a DNS record, however, this record often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework, DKIM, and DMARC DNS-SD. Text record
SRV query DOS (2782) Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX. Service locator
AXFR query DOS (1035) Request for a transfer of an entire zone. Request
IXFR query DOS (1995) Incremental transfer of records in the zone. Request
ANY query DOS (1035) Request for all records. Request
Malformed DOS Generated by a DNS packet in which one of the fields, for example, opcode, query_type or query_name, contains invalid information.  
Malicious DOS Generated by malicious packets, that is, malformed DNS packets with references that are invalid.  
Other Query DOS Queries, not listed in this table, which are being used to attack nameservers.  

DNS DoS example events

This list contains examples of events you might find in the DNS DoS attack logs.

Example of DNS DoS attack log message in the Syslog format
"Oct 30 2012 10:57:09","192.168.56.179","Surya_BIG_IP_VM1.example.com","/Common/vs_192_168_57_177_53_gtm","/Common/external","A","surya.example.com","192.168.56.171","192.168.57.177","43835","53","0","A query DOS","1005891899","Attack Sampled","Allow"

BIG-IP system process example events

This list contains examples of events you might find in BIG-IP system logs. Please be aware that system log messages might be truncated, because the UDP protocol cannot send large messages. Note that using the TCP protocol impacts performance.

Example Syslog log entry for the system audit log

This log entry provides confirmation of a successful configuration save.

1 2012-11-01T18:07:13Z bigip-3.pme-ds.f5.com tmsh 29639 01420002:5: 
[F5@12276 hostname="bigip-3.pme-ds.f5.com" errdefs_msgno="01420002:5:"] 
AUDIT - pid=29639 user=root folder=/Common module=(tmos)# 
status=[Command OK] cmd_data=save / sys config partitions all

Example Syslog log entry for the application security log

This log entry provides confirmation of the end of a DoS attack.

Nov 01 14:15:44 10.3.0.33 1 2012-11-01T18:09:38Z bigip-3.pme-ds.f5.com 
2 28965 01010253:5: [F5@12276 hostname="bigip-3.pme-ds.f5.com" 
errdefs_msgno="01010253:5:"] A DOS attack has stopped for vector Ethernet 
broadcast packet, Attack ID 188335952.