F5 custom rule triggers by false log group
119 views
Skip to first unread message
Yossif Helmy
Apr 9, 2024, 2:56:51 AM4/9/24
to Wazuh | Mailing List
Hello all,
Good day. I have a rule that I made related to 0695-f5_rules.xml where I have made a custom rule file of. The rule is as follows:
<group name="f5-bigip-cef,">
<!-- CEF decoded grouped rules -->
<rule id="65293" level="0">
<decoded_as>f5-bigip-cef</decoded_as>
<description>F5 BigIP CEF decoded grouped alerts</description>
</rule>
<!-- ASM Violations -->
<rule id="65296" level="6">
<if_sid>65293</if_sid>
<match>cs4Label=attack_type</match>
<field name="attack" type="pcre2">^(?!^N\/A$|^$).*</field>
<field name="violation.rating" type="pcre2">^(4|5)$</field>
<description>F5 BigIP ASM: Violation detected level $(violation.rating)</description>
</rule>
<rule id="165299" level="2">
<if_sid>65293</if_sid>
<match>cs4Label=attack_type</match>
<field name="attack" type="pcre2">^(?!^N\/A$|^$).*</field>
<field name="violation.rating" type="pcre2">^(0|1|2|3)$</field>
<description>F5 BigIP ASM: Violation detected level $(violation.rating)</description>
</rule>
<rule id="165296" level="12">
<if_sid>65296</if_sid>
<field name="http.status" type="pcre2">^2</field>
<description>F5 BigIP ASM: Successful attack detected level $(violation.rating)</description>
<mitre>
<id>T1190</id>
</mitre>
<group>attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- ASM Illegal action -->
<rule id="65294" level="6">
<if_sid>65296</if_sid>
<field name="type">Illegal</field>
<description>F5 BigIP ASM: Illegal action detected level $(violation.rating)</description>
</rule>
<rule id="165294" level="12">
<if_sid>65294</if_sid>
<field name="http.status" type="pcre2">^2</field>
<description>F5 BigIP ASM: Successful Illegal action detected level $(violation.rating)</description>
<mitre>
<id>T1190</id>
</mitre>
<group>attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- ASM sql injection -->
<rule id="65295" level="6">
<if_sid>65296</if_sid>
<field name="attack">SQL-Injection</field>
<description>F5 BigIP ASM: SQL injection detected level $(violation.rating)</description>
<mitre>
<id>T1190</id>
</mitre>
</rule>
<rule id="165295" level="13">
<if_sid>65295</if_sid>
<field name="http.status" type="pcre2">^2</field>
<description>F5 BigIP ASM: Successful SQL injection detected level $(violation.rating)</description>
<mitre>
<id>T1190</id>
</mitre>
<group>attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<!-- ASM Anomaly -->
<rule id="65297" level="6">
<if_sid>65293</if_sid>
<match>cn3Label=attack_id</match>
<field name="cn3" type="pcre2">^(?!^N\/A$|^$).*</field>
<description>F5 BigIP ASM: Anomaly detected, attack_id is $(cn3), status is $(attack)</description>
</rule>
<rule id="165297" level="12">
<if_sid>65297</if_sid>
<field name="http.status" type="pcre2">^2</field>
<description>F5 BigIP ASM: Successful Anomaly detected, attack_id is $(cn3), status is $(attack)</description>
<mitre>
<id>T1190</id>
</mitre>
<group>attack,pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
<rule id="165298" level="10" timeframe="120" frequency="5" ignore="240">
<if_matched_group>f5-bigip-cef</if_matched_group>
<if_level>2</if_level>
<same_srcip />
<description>F5 BigIP ASM: Multiple attack signatures from $(srcip)</description>
<group>pci_dss_6.5,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
<mitre>
<id>T1498</id>
</mitre>
</rule>
</group>
Rule ID 165298. It supposedly should trigger if the matched group was only the one I made which is f5-bigip-cef, the rule level is 2, and the same source IP during the timeframe of 2 minutes. Apparently, the fifth log that it gets triggered from is a ForitGate log coming from the 0391-fortigate_rules.xml . Please check the attached screenshot.
I tested the same scenario from the same logs to see if they triggered on my Wazuh test server, and that rule didn't trigger. The production environment has a cluster of 3 Wazuh servers/managers. Any idea of how to fix this?
Thank you for your attention to this matter.
I tested the same scenario from the same logs to see if they triggered on my Wazuh test server, and that rule didn't trigger. The production environment has a cluster of 3 Wazuh servers/managers. Any idea of how to fix this?
Thank you for your attention to this matter.
Javier Bejar
Apr 10, 2024, 8:30:12 AM4/10/24
to Wazuh | Mailing List
Hi Yossif,
The frequency rules only take into account the events sent to the same node and from the same agent, so if one event is sent to a different node, or in the same node the events come from different agents, the condition won't be met. I'm afraid this is a limitation of the Wazuh cluster.
So, you could try to make the agents that generate the frequency events always send to the same server node, and use the global_frequency to avoid the single agent limitation if that's the case, either way, to correlate you need to process the events on the same server node.
Regards, Javier.
The frequency rules only take into account the events sent to the same node and from the same agent, so if one event is sent to a different node, or in the same node the events come from different agents, the condition won't be met. I'm afraid this is a limitation of the Wazuh cluster.
So, you could try to make the agents that generate the frequency events always send to the same server node, and use the global_frequency to avoid the single agent limitation if that's the case, either way, to correlate you need to process the events on the same server node.
Regards, Javier.
Yossif Helmy
Apr 11, 2024, 1:32:31 AM4/11/24
to Wazuh | Mailing List
Hello Javier,
BR,
The logs for both Forti and F5 are being sent to a server node without agent configuration using syslog. If I used global frequency it will have the same output, right?
BR,
Javier Bejar
Apr 12, 2024, 9:07:07 AM4/12/24
to Wazuh | Mailing List
Hi Yossif,
Yes in this case it is indifferent as the events are in the same node and the same agent (the manager agent).
Could you please share a json output of the level 2 alert? So I can test it. Feel free to redact any data.
Yes in this case it is indifferent as the events are in the same node and the same agent (the manager agent).
Could you please share a json output of the level 2 alert? So I can test it. Feel free to redact any data.
Yossif Helmy
Apr 15, 2024, 3:31:12 AM4/15/24
to Wazuh | Mailing List
Hello Javier,
I hope helps:
{
"_index": "wazuh-archives-4.x-2024.04.15",
"_id": "1xxxx",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "xxx",
"name": "wazuh"
},
"agent": {
"name": "xxx",
"id": "000"
},
"data": {
"msg": "N/A",
"request": "GET /url HTTP/1.1\\r\\nuser-agent: Dart/3.2 \\r\\naccept-encoding: gzip\\r\\ncontent-type: application/json\\r\\nX-Forwarded-For: x.x.x.x\\r\\nX-Custom-XFF: x.x.x.x\\r\\n\\r\\n\r",
"srcip": "x.x.x.x",
"rt": "Apr 15 2024 09:08:56",
"cs5": "x.x.x.x",
"dstport": "443",
"microservice": "N/A",
"cn3Label": "device_id",
"suid": "xxx",
"deviceExternalId": "0",
"srccountry": "XX",
"c6a2Label": "source_address",
"act": "alerted",
"dstuser": "N/A",
"dvchost": "xxx",
"attack": "HTTP Parser Attack",
"c6a3Label": "destination_address",
"dstip": "x.x.x.x",
"deviceCustomDate1Label": "policy_apply_date",
"event": {
"desc": "HTTP protocol compliance failed"
},
"policy": {
"name": "/xxx"
},
"app": "HTTPS",
"cs5Label": "x_forwarded_for_header_value",
"c6a4Label": "ip_address_intelligence",
"deviceCustomDate1": "Apr 04 2024 23:35:10",
"externalId": "xxx",
"cn3": "0",
"url": "/url",
"violation": {
"rating": "3"
},
"srcport": "xxx",
"http": {
"method": "GET",
"class": {
"name": "/xxx"
},
"version": "HTTP/1.1",
"status": "200"
},
"c6a1Label": "device_address"
},
"rule": {
"firedtimes": 43,
"mail": false,
"level": 2,
"description": "F5 BigIP ASM: Violation detected level 3",
"groups": [
"f5-bigip-cef"
],
"id": "xxx"
},
"full_log": "Apr 15 09:08:56 xxx ASM:CEF:0|F5|ASM|16.1.2|Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\\r\\nuser-agent: Dart/3.2 \\r\\naccept-encoding: gzip\\r\\ncontent-type: application/json\\r\\nX-Forwarded-For: x.x.x.x\\r\\nX-Custom-XFF: x.x.x.x\\r\\n\\r\\n\r",
"id": "xxx",
"timestamp": "2024-04-15T07:08:58.370+0000",
"predecoder": {
"hostname": "xxx",
"program_name": "ASM",
"timestamp": "Apr 15 09:08:56"
},
"manager": {
"name": "xxx"
},
"decoder": {
"name": "f5-bigip-cef"
},
"input": {
"type": "log"
},
"@timestamp": "2024-04-15T07:08:58.370Z",
"location": "x.x.x.x",
"GeoLocation": {
"city_name": "xx",
"country_name": "XX",
"region_name": "xxx",
"location": {
"lon": 31.2852,
"lat": 30.0778
}
}
},
"fields": {
"@timestamp": [
"2024-04-15T07:08:58.370Z"
],
"timestamp": [
"2024-04-15T07:08:58.370Z"
]
},
"highlight": {
"decoder.name": [
"@opensearch-dashboards-highlighted-field@f5-bigip-cef@/opensearch-dashboards-highlighted-field@"
],
"location": [
"@opensearch-dashboar...@x.x.x.x@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
x
]
}
{
"_index": "wazuh-archives-4.x-2024.04.15",
"_id": "1xxxx",
"_version": 1,
"_score": null,
"_source": {
"cluster": {
"node": "xxx",
"name": "wazuh"
},
"agent": {
"name": "xxx",
"id": "000"
},
"data": {
"msg": "N/A",
"request": "GET /url HTTP/1.1\\r\\nuser-agent: Dart/3.2 \\r\\naccept-encoding: gzip\\r\\ncontent-type: application/json\\r\\nX-Forwarded-For: x.x.x.x\\r\\nX-Custom-XFF: x.x.x.x\\r\\n\\r\\n\r",
"srcip": "x.x.x.x",
"rt": "Apr 15 2024 09:08:56",
"cs5": "x.x.x.x",
"dstport": "443",
"microservice": "N/A",
"cn3Label": "device_id",
"suid": "xxx",
"deviceExternalId": "0",
"srccountry": "XX",
"c6a2Label": "source_address",
"act": "alerted",
"dstuser": "N/A",
"dvchost": "xxx",
"attack": "HTTP Parser Attack",
"c6a3Label": "destination_address",
"dstip": "x.x.x.x",
"deviceCustomDate1Label": "policy_apply_date",
"event": {
"desc": "HTTP protocol compliance failed"
},
"policy": {
"name": "/xxx"
},
"app": "HTTPS",
"cs5Label": "x_forwarded_for_header_value",
"c6a4Label": "ip_address_intelligence",
"deviceCustomDate1": "Apr 04 2024 23:35:10",
"externalId": "xxx",
"cn3": "0",
"url": "/url",
"violation": {
"rating": "3"
},
"srcport": "xxx",
"http": {
"method": "GET",
"class": {
"name": "/xxx"
},
"version": "HTTP/1.1",
"status": "200"
},
"c6a1Label": "device_address"
},
"rule": {
"firedtimes": 43,
"mail": false,
"level": 2,
"description": "F5 BigIP ASM: Violation detected level 3",
"groups": [
"f5-bigip-cef"
],
"id": "xxx"
},
"full_log": "Apr 15 09:08:56 xxx ASM:CEF:0|F5|ASM|16.1.2|Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\\r\\nuser-agent: Dart/3.2 \\r\\naccept-encoding: gzip\\r\\ncontent-type: application/json\\r\\nX-Forwarded-For: x.x.x.x\\r\\nX-Custom-XFF: x.x.x.x\\r\\n\\r\\n\r",
"id": "xxx",
"timestamp": "2024-04-15T07:08:58.370+0000",
"predecoder": {
"hostname": "xxx",
"program_name": "ASM",
"timestamp": "Apr 15 09:08:56"
},
"manager": {
"name": "xxx"
},
"decoder": {
"name": "f5-bigip-cef"
},
"input": {
"type": "log"
},
"@timestamp": "2024-04-15T07:08:58.370Z",
"location": "x.x.x.x",
"GeoLocation": {
"city_name": "xx",
"country_name": "XX",
"region_name": "xxx",
"location": {
"lon": 31.2852,
"lat": 30.0778
}
}
},
"fields": {
"@timestamp": [
"2024-04-15T07:08:58.370Z"
],
"timestamp": [
"2024-04-15T07:08:58.370Z"
]
},
"highlight": {
"decoder.name": [
"@opensearch-dashboards-highlighted-field@f5-bigip-cef@/opensearch-dashboards-highlighted-field@"
],
"location": [
"@opensearch-dashboar...@x.x.x.x@/opensearch-dashboards-highlighted-field@"
]
},
"sort": [
x
]
}
Javier Bejar
Apr 22, 2024, 9:53:45 AM4/22/24
to Wazuh | Mailing List
Hi Yossif,
Sorry for the late response, I tested the full_log and the rule matching is the 65296, none of your alerts are caching the event so the frequency rule wont be triggered.
Here is the output:
full event: 'Apr 15 09:08:56 xxx ASM:CEF:0|F5|ASM|16.1.2|Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
timestamp: 'Apr 15 09:08:56'
hostname: 'xxx'
program_name: 'ASM'
**Phase 2: Completed decoding.
name: 'f5-bigip-cef'
act: 'alerted'
app: 'HTTPS'
c6a1Label: 'device_address'
c6a2Label: 'source_address'
c6a3Label: 'destination_address'
c6a4Label: 'ip_address_intelligence'
cn1: '200'
cn1Label: 'response_code'
cn2: '3'
cn2Label: 'violation_rating'
cn3: '0'
cn3Label: 'device_id'
cs1: '/xxx_api'
cs1Label: 'policy_name'
cs2: '/xxx_api'
cs2Label: 'http_class_name'
cs3: 'GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
cs3Label: 'full_request'
cs4: 'HTTP Parser Attack'
cs4Label: 'attack_type'
cs5: 'x.x.x.x'
cs5Label: 'x_forwarded_for_header_value'
cs6: 'XX'
cs6Label: 'geo_location'
deviceCustomDate1: 'Apr 04 2024 23:35:10'
deviceCustomDate1Label: 'policy_apply_date'
deviceExternalId: '0'
dstip: 'x.x.x.x'
dstport: '443'
dstuser: 'N/A'
dvchost: 'xxx'
externalId: 'xxx'
message: 'Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
microservice: 'N/A'
msg: 'N/A'
request: '/url'
requestMethod: 'GET'
rt: 'Apr 15 2024 09:08:56'
srcip: 'x.x.x.x'
srcport: '2095'
suid: '9c052f35dd16e6ea'
**Phase 3: Completed filtering (rules).
id: '65296'
level: '12'
description: 'F5 BigIP ASM: Violation detected, attack_type is HTTP Parser Attack'
groups: '['f5-bigip']'
firedtimes: '8'
mail: 'True'
**Alert to be generated.
Notice the group is f5-bigip, if you want you can make your custom rules the same group.
Let me know if this solves your problem, remember you can test the events using the /var/ossec/bin/wazuh-logtest tool without the hassle of restarting the server. You can pass the full_log field of the decoded event removing the json scaping symbols to test the events.
Sorry for the late response, I tested the full_log and the rule matching is the 65296, none of your alerts are caching the event so the frequency rule wont be triggered.
Here is the output:
Apr 15 09:08:56 xxx ASM:CEF:0|F5|ASM|16.1.2|Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n
**Phase 1: Completed pre-decoding.full event: 'Apr 15 09:08:56 xxx ASM:CEF:0|F5|ASM|16.1.2|Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
timestamp: 'Apr 15 09:08:56'
hostname: 'xxx'
program_name: 'ASM'
**Phase 2: Completed decoding.
name: 'f5-bigip-cef'
act: 'alerted'
app: 'HTTPS'
c6a1Label: 'device_address'
c6a2Label: 'source_address'
c6a3Label: 'destination_address'
c6a4Label: 'ip_address_intelligence'
cn1: '200'
cn1Label: 'response_code'
cn2: '3'
cn2Label: 'violation_rating'
cn3: '0'
cn3Label: 'device_id'
cs1: '/xxx_api'
cs1Label: 'policy_name'
cs2: '/xxx_api'
cs2Label: 'http_class_name'
cs3: 'GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
cs3Label: 'full_request'
cs4: 'HTTP Parser Attack'
cs4Label: 'attack_type'
cs5: 'x.x.x.x'
cs5Label: 'x_forwarded_for_header_value'
cs6: 'XX'
cs6Label: 'geo_location'
deviceCustomDate1: 'Apr 04 2024 23:35:10'
deviceCustomDate1Label: 'policy_apply_date'
deviceExternalId: '0'
dstip: 'x.x.x.x'
dstport: '443'
dstuser: 'N/A'
dvchost: 'xxx'
externalId: 'xxx'
message: 'Body in GET or HEAD requests|HTTP protocol compliance failed|5|dvchost=xxx dvc=x.x.x.x cs1=/xxx_api cs1Label=policy_name cs2=/xxx_api cs2Label=http_class_name deviceCustomDate1=Apr 04 2024 23:35:10 deviceCustomDate1Label=policy_apply_date externalId=xxx act=alerted cn1=200 cn1Label=response_code src=x.x.x.x spt=2095 dst=x.x.x.x dpt=443 requestMethod=GET app=HTTPS cs5=x.x.x.x cs5Label=x_forwarded_for_header_value rt=Apr 15 2024 09:08:56 deviceExternalId=0 cs4=HTTP Parser Attack cs4Label=attack_type cs6=XX cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4= c6a4Label=ip_address_intelligence msg=N/A suid=9c052f35dd16e6ea suser=N/A cn2=3 cn2Label=violation_rating cn3=0 cn3Label=device_id microservice=N/A request=/url cs3Label=full_request cs3=GET /url HTTP/1.1\r\nuser-agent: Dart/3.2 \r\naccept-encoding: gzip\r\ncontent-type: application/json\r\nX-Forwarded-For: x.x.x.x\r\nX-Custom-XFF: x.x.x.x\r\n\r\n'
microservice: 'N/A'
msg: 'N/A'
request: '/url'
requestMethod: 'GET'
rt: 'Apr 15 2024 09:08:56'
srcip: 'x.x.x.x'
srcport: '2095'
suid: '9c052f35dd16e6ea'
**Phase 3: Completed filtering (rules).
id: '65296'
level: '12'
description: 'F5 BigIP ASM: Violation detected, attack_type is HTTP Parser Attack'
groups: '['f5-bigip']'
firedtimes: '8'
mail: 'True'
**Alert to be generated.
Let me know if this solves your problem, remember you can test the events using the /var/ossec/bin/wazuh-logtest tool without the hassle of restarting the server. You can pass the full_log field of the decoded event removing the json scaping symbols to test the events.
Regards, Javier.
Reply all
Reply to author
Forward
0 new messages