search

F5Networks / f5-cloud-iapps

iApps specific to BIG-IPs in cloud environments
12 stars 10 forks source link

Documentation: Azure OMS examples #3

Closed chen23 closed 6 years ago

chen23 commented 6 years ago

Having some rudimentary examples of searches in OMS would be helpful.

AFM:

Type=F5CustomLog_CL device_product_s="Advanced Firewall Module"|select time_s,source_ip_s,dest_ip_s,action_s

CSV output

"time_s","source_ip_s","dest_ip_s","action_s"
"Tue, 02 Jan 2018 22:22:52 GMT","xxx.xxx.xxx.xxx","192.168.4.7","Accept"
"Tue, 02 Jan 2018 22:20:09 GMT","xxx.xxx.xxx.xxx","192.168.4.7","Accept"
"Tue, 02 Jan 2018 22:20:09 GMT","xxx.xxx.xxx.xxx","192.168.4.7","Accept"
"Tue, 02 Jan 2018 22:20:09 GMT","xxx.xxx.xxx.xxx","192.168.4.7","Accept"

ASM:

Type=F5CustomLog_CL logSource_s=ASM|select ip_client_s,date_time_s,method_s,uri_s,violation_rating_s,violations_s,request_s,request_status_s

CSV output

"ip_client_s","date_time_s","method_s","uri_s","violation_rating_s","violations_s","request_s","request_status_s"
"xxx.xxx.xxx.xxx","2018-01-02 22:22:51","GET","/headers/","4","HTTP protocol compliance failed","GET /headers/ HTTP/1.1
host: cat /etc/passwd
User-Agent: curl/7.47.0
Accept: */*

","blocked"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:10","HEAD","/headers/","0",,"HEAD /headers/ HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: */*
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:10","GET","/favicon.ico","0",,"GET /favicon.ico HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:09","GET","/css/bootstrap.min.css","0",,"GET /css/bootstrap.min.css HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: text/css,*/*;q=0.1
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:09","GET","/css/f5demo.css","0",,"GET /css/f5demo.css HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: text/css,*/*;q=0.1
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:09","GET","/css/f5footer.scss","0",,"GET /css/f5footer.scss HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: text/css,*/*;q=0.1
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:09","GET","/css/f5header.scss","0",,"GET /css/f5header.scss HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept: text/css,*/*;q=0.1
Referer: https://yyy.yyy.yyy.yyy:8443/headers/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: TS0116e72d=013c0491b843f2e13a48e2003dda63a046c38878c180e24eaa0fc197baae71dbf5e0a0f49f3190caa10b2044e53df2cf4eb0dc202b

","passed"
"xxx.xxx.xxx.xxx","2018-01-02 22:20:09","GET","/headers/","0",,"GET /headers/ HTTP/1.1
Host: yyy.yyy.yyy.yyy:8443
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://yyy.yyy.yyy.yyy:8443/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

","passed"
jsevedge commented 6 years ago

@chen23 Agreed, i already have this on my list of things to get documented and/or tackle as this becomes a more mature solution. Thanks for the feedback.

jsevedge commented 6 years ago

Some base examples have been added to just released version v1.3.0. As of now no additional examples are planned.