Forum Discussion

Abdessamad_851's avatar
Abdessamad_851
Icon for Nimbostratus rankNimbostratus
Nov 12, 2018

ASM L7DOS snmp traps

Dear,

Do you know of any known issue about l7ddos snmp traps. For some reason they are not sent at all.

The log entry in /var/log/dosl7/dosl7d.log is well present, but no snmp trap is sent.

I checked the definition in the alertd config files and it looks like it is looking for a specific log entry in order to send the trap:

alert.conf

alert BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR {
        snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.91";
}

bigip_ts_error_maps.h

3 LOG_ERR       01310046 BIGIP_TS_TS_DOS_ATTACK_DETECTED_ERR "[SECEV] DoS attack: %s. HTTP classifier: %s, Operation mode: %s"

But the problem is that when testing a l7ddos, no log entry can be found in /var/log/asm, there are only logs in /var/log/dosl7/dosl7d.log

And it looks like the alertd does not process the later file (K14397)

My client is running version 11.5.4

Thanks in advance for your assistance.

Abdessamad

ASM Advanced WAF
ddos
security
snmp trap
TMOS

2 Replies

Sort By
  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Dec 06, 2018

    Small update as we got some feedback from F5 support:

     

    "Since messages generated by the dosl7d process are not processed by the alertd SNMP process there is no possible workaround, this functionality needs to be hard coded. Currently the only option to be notified of a DOS attack is by an external logging device."

     

    "SNMP traps rely on the syslog facility, however ithe dosl7d daemon writes directly to its log file rather than using syslog facilities, which means that the messages it issues do not pass through the syslog pipe that is the source for almost everything in the syslog-ng configuration. As a result, the alertd daemon can't see the dosl7d messages too and therefore is unable to act on them and trigger SNMP traps.

     

    Our solution article below about custom scripts based on a syslog message also makes reference to thishttps://

     

    Messages generated by the dosl7d process in BIG-IP ASM 11.3.0 and later are not processed by the alertd SNMP process. Layer 7 (L7) denial of service (DoS) messages,therefore, cannot be used for triggering commands or custom scripts.

     

    A Request For Enhancement (ID486827) was raised to make it possible to configure a syslog destination for dosl7 messages (which should also help resolve the issue with trap messages). This functionality is expected to become available in the future public releases only. Product Development does not have any definite details for these releases still."