Hi all I have a Virtual Server with an Application Security and DoS Profile applied to it. The DoS profile just contains Proactive Bot Defense, Always On. Other features of DoS profile are off. I can see it working when turned on, by cURL'ing the site and seeing the JS response. However these events aren't showing up in any logs, is that expected? It would be nice to be able to see blocked/denied requests to the site to ensure i haven't broken journeys for our customers. Any help would be much appreciated

PowerShellDon, On the Virtual Server do you have a Log Profile assigned to it, if not try with log all requests? I believe it is a requirement to capture these logs. Rgds N

A second, related question... can i customise the response somehow? Rather than just 'Please enable JavaScript to view the page content'

PBD logs are not yet available. It will be implemented in v13.0.

You need to assign a Logging Profile to the virtual server, and make sure you have enabled DoS Logging. Then you should see activity in Event Logs: DoS: Application Events

I am using v13.0 is there a folder in WINSCP i can find to the botdefense logs to download

ASM - Proactive Bot Defense - No Logs?

32 Replies

jba3126

Cirrus

Jun 21, 2018

I have the following iRule that at least the browser detection is working; however I'm uncertain as to how to test the tcp_rst action.

when BOTDEFENSE_ACTION {
    if { [BOTDEFENSE::action] eq "browser_challenge" || [BOTDEFENSE::action] eq "tcp_rst" }  {
        set log "BOTDEFENSE:"
        set hsl [HSL::open -proto TCP -pool /Common/HSL-Syslog]
        append log " source [IP::remote_addr]"
        append log " vs [virtual]"
        append log " host [HTTP::host]"
        append log " uri [HTTP::uri]"
        append log " cs_possible [BOTDEFENSE::cs_possible]"
        append log " cs_allowed [BOTDEFENSE::cs_allowed]"
        append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
        append log " cookie_status [BOTDEFENSE::cookie_status]"
        append log " cookie_age [BOTDEFENSE::cookie_age]"
        append log " device_id [BOTDEFENSE::device_id]"
        append log " captcha_status [BOTDEFENSE::captcha_status]"
        append log " captcha_age [BOTDEFENSE::captcha_age]"
        append log " default action [BOTDEFENSE::action]"
        append log " reason \"[BOTDEFENSE::reason]\""
     Remove comment on line below if you want to see bot defense logs in /var/log/ltm
        log local0. $log
       HSL::send $hsl $log
       }
     }

/jeff

Dan_Pacheco
Cirrus
Apr 14, 2018
Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

TAC informed me it is not yet available v13, but this thread says different who is right?
- jba3126
  Cirrus
  Jun 21, 2018
  Okay, so at first I was not seeing any events being logged. The reason was the script I was using was triggering the browser_challenge action and it was never making it past that part. When I changed the BOTDEFENSE::action to broswer_challenge I saw the events in the LTM log. I have a few more questions. First is tcp_rst the most optimal action to log against. The second is, instead of writing to LTM, is there a way to log to ASM. The last question would be is there a way to stack the BOTDEFENSE::action response? Say tcp_rst and browser_challenge? Thank you again for the responses and guidance. You have provided more than I've been able to accomplish on my own and I'm grateful.
  
  BOTDEFENSE::action Returns the action to be taken by Bot Defense: how the received HTTP request is handled. The returned value is one of the following strings:
  
  undetermined - the action has not yet been determined; this should only be returned upon an error
  allow - the HTTP request is allowed to go up the chain
  browser_challenge - a browser challenge (HTML + JavaScript) is to be responded to the client
  captcha_challenge - a CAPTCHA challenge is to be responded to the client
  redirect_challenge - a redirection challenge (307 redirect) is to be responded to the client
  tcp_rst - the TCP connection is to be closed using TCP RST
  redirect_to_referring_domain - a 307 redirect response is to be sent to the client, redirecting it to the referring domain
  internal_bigip_response - a response is to be sent to the client, without forwarding the HTTP request up the chain; the response is an internal part of the Bot Defense mechanism
  redirect_with_cookie - a 307 redirect response is to be sent to the client, and this response is an internal port of the Bot Defense mechanism
  custom_response - a custom response is to be sent to the client
  custom_redirect - a custom redirect response is to be sent to the client
  
  /jeff
- Dan_Pacheco
  Cirrus
  Jun 19, 2018
  Hi Jeff, The first part is not required. You can start it off with when BOTDEFENSE_ACTION {
- jba3126
  Cirrus
  Jun 19, 2018
  Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!
  
  /jeff
Dan_Pacheco_163
Cirrus
Apr 14, 2018
Still running v12.1.2, can you confirm, that you are actually getting PBD logs natively in v13 without an irule? Does it actually work now or is it still a work in progress?

TAC informed me it is not yet available v13, but this thread says different who is right?
- jba3126
  Cirrus
  Jun 21, 2018
  Okay, so at first I was not seeing any events being logged. The reason was the script I was using was triggering the browser_challenge action and it was never making it past that part. When I changed the BOTDEFENSE::action to broswer_challenge I saw the events in the LTM log. I have a few more questions. First is tcp_rst the most optimal action to log against. The second is, instead of writing to LTM, is there a way to log to ASM. The last question would be is there a way to stack the BOTDEFENSE::action response? Say tcp_rst and browser_challenge? Thank you again for the responses and guidance. You have provided more than I've been able to accomplish on my own and I'm grateful.
  
  BOTDEFENSE::action Returns the action to be taken by Bot Defense: how the received HTTP request is handled. The returned value is one of the following strings:
  
  undetermined - the action has not yet been determined; this should only be returned upon an error
  allow - the HTTP request is allowed to go up the chain
  browser_challenge - a browser challenge (HTML + JavaScript) is to be responded to the client
  captcha_challenge - a CAPTCHA challenge is to be responded to the client
  redirect_challenge - a redirection challenge (307 redirect) is to be responded to the client
  tcp_rst - the TCP connection is to be closed using TCP RST
  redirect_to_referring_domain - a 307 redirect response is to be sent to the client, redirecting it to the referring domain
  internal_bigip_response - a response is to be sent to the client, without forwarding the HTTP request up the chain; the response is an internal part of the Bot Defense mechanism
  redirect_with_cookie - a 307 redirect response is to be sent to the client, and this response is an internal port of the Bot Defense mechanism
  custom_response - a custom response is to be sent to the client
  custom_redirect - a custom redirect response is to be sent to the client
  
  /jeff
- Dan_Pacheco_163
  Cirrus
  Jun 19, 2018
  Hi Jeff, The first part is not required. You can start it off with when BOTDEFENSE_ACTION {
- jba3126
  Cirrus
  Jun 19, 2018
  Dan, Thank you again for the response. I've applied this iRule to our Dev environment for testing and will share results. Last question :) Is the first part required where you capture the HTTP Request required for the BotDefense logging to work? They appear separate functions. Again thank you so much for taking the time to respond!
  
  /jeff
Erik_Novak
Employee
Apr 26, 2017
You need to assign a Logging Profile to the virtual server, and make sure you have enabled DoS Logging. Then you should see activity in Event Logs: DoS: Application Events
Matt_Dierick
Employee
Jan 24, 2017
PBD logs are not yet available. It will be implemented in v13.0.
PowerShellDon_1
Nimbostratus
Jan 28, 2016
A second, related question... can i customise the response somehow? Rather than just 'Please enable JavaScript to view the page content'
- Brandon_12607
  Nimbostratus
  Jul 07, 2017
  I am using v13.0 is there a folder in WINSCP i can find to the botdefense logs to download
nathe
Cirrocumulus
Jan 28, 2016
PowerShellDon,

On the Virtual Server do you have a Log Profile assigned to it, if not try with log all requests? I believe it is a requirement to capture these logs.

Rgds

N

Forum Discussion

ASM - Proactive Bot Defense - No Logs?

32 Replies

Recent Discussions

Viprion files on blades.

redirect not working

active/active Support Declarative Onboarding

Reliable resources for identifying IP addresses

minimum tmos software version for connect CIS (openshift)

Related Content

Proactive Bot Defense Using BIG-IP ASM

AppSec Made Easy: Proactive Bot Defense

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

Proactive Bot Defense Bypass by Bot Signature