Forum Discussion

Akshay_SK's avatar
Akshay_SK
Icon for Nimbostratus rankNimbostratus
Jan 27, 2020
Solved

Sending HSL data in json format.

Just wanted to know if data can be sent via HSL in json format as below : HSL::send $hsl "{ "Attacker_IP":$remoteip, "Destination_IP":[IP::local_addr], "User-Agent":$useragent, "ISP":$isp, "Coun...
BIG-IP
hsl
iRules
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Jan 29, 2020

    One example of how to configure this.

    1.- Configure iRule.

    when SERVER_CONNECTED {
    catch {
        set hsl [HSL::open -publisher /Common/HSL_PUB]
    }
    set timestamp  [clock clicks -milliseconds]
    set cs_client_ip [clientside {IP::remote_addr}]
    set cs_client_port [clientside {TCP::remote_port}]
    set cs_server_ip [clientside {IP::local_addr}]
    set cs_server_port [clientside {TCP::local_port}]
    set ss_client_ip [serverside {IP::local_addr}]
    set ss_client_port [serverside {TCP::local_port}]    
    set ss_server_ip [serverside {IP::remote_addr}]
    set ss_server_port [serverside {TCP::remote_port}]
 
    catch {
        HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}"
    }
}

    2.- Configure HSL_PUB

    sys log-config destination remote-high-speed-log HSL_SRV {
    pool-name P-WEB1_80
    protocol udp
}
sys log-config publisher HSL_PUB {
    destinations {
        HSL_SRV { }
    }
}

    3.- Apply iRule to the VS and generate traffic.

    ---

    After capturing traffic output, that's the result.

    13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis=
E....?@.....
.()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

    Let me know if this helps.

    KR,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP
Jan 27, 2020

Hello Akshay

Sure, you can. Let try something like this:

HSL::send $hsl "{\"TIMESTAMP\":\"[clock clicks -milliseconds]\",\"CLIENT\":\"$client_ip\", ... }"

KR,

Dario.

  • Akshay_SK's avatar
    Akshay_SK
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2020

    The first option doesn't seem to be working.

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Jan 29, 2020

      One example of how to configure this.

      1.- Configure iRule.

      when SERVER_CONNECTED {
    catch {
        set hsl [HSL::open -publisher /Common/HSL_PUB]
    }
    set timestamp  [clock clicks -milliseconds]
    set cs_client_ip [clientside {IP::remote_addr}]
    set cs_client_port [clientside {TCP::remote_port}]
    set cs_server_ip [clientside {IP::local_addr}]
    set cs_server_port [clientside {TCP::local_port}]
    set ss_client_ip [serverside {IP::local_addr}]
    set ss_client_port [serverside {TCP::local_port}]    
    set ss_server_ip [serverside {IP::remote_addr}]
    set ss_server_port [serverside {TCP::remote_port}]
 
    catch {
        HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}"
    }
}

      2.- Configure HSL_PUB

      sys log-config destination remote-high-speed-log HSL_SRV {
    pool-name P-WEB1_80
    protocol udp
}
sys log-config publisher HSL_PUB {
    destinations {
        HSL_SRV { }
    }
}

      3.- Apply iRule to the VS and generate traffic.

      ---

      After capturing traffic output, that's the result.

      13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis=
E....?@.....
.()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

      Let me know if this helps.

      KR,

      Dario.

  • Akshay_SK's avatar
    Akshay_SK
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2020

    This worked for me. Thanks Dario!

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Feb 17, 2020

      Glad to hear this.

       

      Please, don't forget to mark the answer as "the best".

       

      KR,

      Dario.