BigIP: How Logs Work?
Suhesh Kasti
F5 big IP web app firewall
May 15, 2024

BigIP: How Logs Work?

This comprehensive blog post provides a detailed breakdown of configuring security policies in BIG-IP ASM, covering essential elements such as policy types, enforcement modes, learning modes, and signature accuracy settings, offering practical examples and explanations for each component.

Violation Categories

Positive SecurityNegative Security
File types, URLs, parametersAttack Signatures
HeadersHTTP protocol compliance failed
CookiesEvasion technique detected

Additional security checks

Security CheckExplanation
Session AwarenessMaintaining stateful session information across multiple requests
Web Services SecurityEnsuring the security of web services APIs
Brute force protectionPreventing unauthorized access attempts through repeated guessing
Web scrapingDetecting and preventing automated scraping of web content
Data Guard (information leakage)Protecting sensitive data from being exposed
Geolocation enforcementRestricting access based on geographical location
Bot detectionIdentifying and mitigating automated bot traffic
Login page enforcementEnsuring security measures are applied on login pages

How violations are categorized

Entities

Entity Types with attributesExplanationExample
File typesSpecific file types that are checked for security complianceAllowed: .html, .exe
Not allowed: .php, .ini
URLsURLs that are validated for complianceChecking if a URL contains forbidden patterns
ParametersURL parameters that are scrutinizedid, token in query strings
CookiesCookies that are assessedValidating cookie structure and content
HeadersHTTP headers that are analyzedChecking for specific headers like User-Agent
Content profilesProfiles used to validate web contentEnsuring that the content follows a predefined structure
Redirection domainsDomains that are verified for redirectionEnsuring that redirects are only to allowed domains
  • Entities have at least one configurable attribute (such as byte length).
  • Entities can have multiple occurrences.
  • New instances may be learnable (suitable for addition to the security policy).

Items

Violation ItemsExplanationExample
HTTP protocol checksEnsures that HTTP protocol is followed correctlyValidating HTTP request structure
Evasion techniquesDetects techniques used to bypass securityObfuscation of payload to avoid detection
Attack SignaturesIdentifies known patterns of attacksSQL injection patterns
Meta charactersChecks for special characters used maliciouslyCharacters like <, >, %
HTTP methodsValidates HTTP methods usedAllowing only GET and POST methods
GeolocationsChecks the geographical origin of requestsBlocking requests from certain regions
Redirection domainsValidates domains involved in redirectionEnsuring redirections only go to trusted domains
  • Items can be:
    • Present and enabled
    • Present and disabled
    • Not present

Rating Definitions

RatingDefinition
0Not rated = no violation. This rating indicates that there are no detected issues, and the request is deemed safe.
1Most likely a false positive. This suggests that the request appears suspicious but is probably harmless.
2Looks like a false positive; requires examination. This means that the request has characteristics of a false positive but needs closer inspection to confirm.
3Needs further examination. The request has some concerning features and should be reviewed in detail to determine its intent.
4Looks like a threat but requires examination. This rating indicates that the request is likely malicious, but a thorough investigation is necessary to be certain.
5Request is most likely a threat. This suggests that the request is highly suspicious and should be treated as a probable threat. Immediate action may be required.

Violation Rating: Calculation criteria

The violation rating calculation criteria for the BIG-IP WAF involves assessing various factors to determine the severity of potential threats.

  1. Signature Accuracy & Signature Severity:

    • Example: If a request matches a known SQL injection attack signature, the severity rating increases based on the severity level assigned to that signature.

  2. User IP Address Location (WAN/LAN):

    • Example: Requests originating from a known malicious IP address (WAN) receive a higher violation rating compared to requests from a trusted internal network (LAN).

  3. Meta Character Violation:

    • Example: If a request contains unusual characters commonly used in injection attacks, such as semicolons or quotation marks, it raises suspicion and increases the violation rating.

  4. Signature Violation — Numerous Hits:

    • Example: Multiple requests matching the same attack signature within a short timeframe indicate a concerted attack, resulting in a higher violation rating.

  5. Signature Violation — Multiple Categories:

    • Example: If a request triggers multiple different types of attack signatures (e.g., SQL injection and cross-site scripting), it indicates a sophisticated attack, warranting a higher violation rating.

  6. Server Response — Lower Rating when Error 500 Occurs without Other Violations:

    • Example: If a server responds with an error 500 status code without any other indications of an attack, the violation rating may be lower as it could be due to server misconfiguration rather than an actual attack.

  7. Cookie Tampering — Higher Rating:

    • Example: Modifying session cookies in a request to gain unauthorized access to a user’s account would result in a higher violation rating.

  8. Evasion Techniques Found Alongside Attack Signatures — Higher Rating:

    • Example: If an attacker attempts to obfuscate their attack payload to evade detection while triggering known attack signatures, it indicates a deliberate effort to bypass security measures, leading to a higher violation rating.

  9. IP Reputation — Higher Rating when Client on Suspicious IP:

    • Example: Requests originating from IP addresses with a history of malicious activity or flagged by threat intelligence services receive a higher violation rating due to the increased likelihood of an attack.

Request status

SymbolMeaning
Valid request
Blocked illegal request
Flagged illegal request
Un-blocked request
+ Valid request (but triggered a violation)

Staging and Enforcing

Signature StagingEnforcement ModeResult
TransparentTransparentNo blocking (logging)
TransparentEnforcedBlocking
EnforcedTransparentNo blocking (logging)
EnforcedEnforcedBlocking

Learn, Alarm and Block

ModeDescriptionExample
LearnCollects data on normal traffic patternsExample: During Learn Mode, the WAF observes that most user requests are GET requests with typical parameters and URL structures. It learns that certain IP addresses frequently access specific resources without any suspicious behavior.
AlarmGenerates alerts for detected threatsExample: In Alarm Mode, the WAF detects an influx of POST requests with unusually long payloads, indicating a potential SQL injection attack. It generates alerts for administrators to investigate further without blocking the requests.
BlockActively blocks requests identified as threatsExample: In Block Mode, the WAF identifies a series of requests with known attack signatures attempting to exploit a vulnerability. It immediately blocks these requests to prevent any potential harm to the system or application.

Enforcement readiness

Enforcement Readiness Example:

DayActivityActionResult
1Configure WAF Policies and SignaturesDefine policies and enable attack signaturesPolicies and signatures are set up.
2Monitor TrafficMonitor incoming traffic for patterns and anomaliesNo attacks detected.
3Analyze LogsReview logs for any suspicious activityNo attacks detected.
4Analyze LogsContinue reviewing logs for any patternsNo attacks detected.
5Signature TriggeringAttack signature triggeredWAF suggests enforcement based on severity.
6Review Suggested EnforcementsAdmin reviews suggestions and decides whether to enforce or notAdmin enforces critical signatures.
7Continual MonitoringMonitor traffic for any new attacksNo attacks detected.
8Manual EnforcementAdmin manually enforces any untriggered signaturesWAF now enforces all critical signatures.

On the 5th day, an attack signature is triggered, indicating potential threats. The WAF suggests enforcement based on the severity of the signature. The admin reviews the suggestions and decides to enforce critical signatures.

On the 8th day, the admin manually enforces any remaining untriggered signatures to ensure comprehensive protection.

Managing Triggered Signatures:

Signature StateActionResult
TriggeredManual EnforcementSignature is enforced.
UntriggeredManual EnforcementSignature is enforced.
TriggeredNo ActionSignature remains triggered.
UntriggeredNo ActionSignature stays in learning suggestion.

Triggered signatures are enforced either manually or automatically based on severity. Untriggered signatures remain in learning suggestions until enforced.

Avoiding False Positives:

  • Regularly review and update WAF policies and signatures to align with evolving threats.
  • Utilize whitelists for known benign entities to reduce false positives.
  • Continuously monitor and adjust WAF configurations based on traffic patterns and attack trends.

Learning Suggestions

Goto F5's documentation

Tags

Comments

comments powered by Disqus

Related Posts

BurpSuite: Part 1

BurpSuite: Part 1

Discover BurpSuite, a powerful tool for web application security testing, and learn about its features, use cases, and an open-source alternative called OWASP ZAP.

Read More

Read More
BigIP: Security Features

BigIP: Security Features

This comprehensive blog post provides a detailed breakdown of configuring security policies in BIG-IP ASM, covering essential elements such as policy types, enforcement modes, learning modes, and signature accuracy settings, offering practical examples and explanations for each component.

Read More
Previous ← BigIP: Guided Web Application Security Config Next BigIP: Advanced Web Application Firewall →