NimbostratusASM DoS Protection
I have started working with the DoS protection within the ASM Anamoly detection, right now I have it set to Transparent mode to test the TPS limitation we have set on a few different applications. The protection in and of itself seems pretty straightforward I am using TPS based upon IP and URL, I do not have integrity checking turned on at this point.
I am however running into a few oddities though that don't make sense to me.
1. I am seeing a lot of entries in reporting that show up with no IP or URL only the following note in the entry
Note: The system detected a short-lived attack from an IP address or against a URL, which ceased before the system was able to report the specific IP address or URL which triggered the attack.
This does not make sense to me as I would expect since this protection is based upon the IP or URL that recording it should be a primary function of the protection. Also in some case I am seeing the start and end times be close to a full minute or more, so again no reason the system should not have had time to pull this information in.
Does anyone have any experience with this and know if there is anything I can do to make sure it shows me the address.
2. I am porting my logs to a syslog server and a SIEM device, and all of the DoS events are showing up as Emergency in both the syslog server and the SIEM logs. I cannont seem to find anywhere to adjust this so that the events are not Emergency.
I have a case open with support on both of these but thought I would see if anyone around here has any thoughts.
Mike
