How to create an Access Log that lists the IP address of sites being accessed.

book

Article ID: 168356

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

This article assumes that another device has identified the ProxySG appliance as the source of an attack on a website. Further, the device gives the IP address of the destination, not the hostname. 
If the ProxySG appliance is using its IP address when accessing the Internet (that is, the Reflect Client IP option is not being used), the simplest way to identify the source IP address of an attack is to add the destination IP address to a copy of the main Access Log.  The modified Access Log will contain both the destination address being attacked and the client IP address that originated the requests to the destination. 
A copy of the main Access Log is being used so that Reporter can be run on the original main Access Log.  Reporter is sensitive to the format of the main Access Log being processed.  Adding the destination IP address to the format of the main Access Log (bcreportermain_v1) could cause Reporter to fail.

Cause

When the ProxySG appliance is using its address as the source IP address for accessing the Internet, an outside device has no way to identify the true source address when an attack on a website occurs. Modifying a copy of the main Access Log by adding the destination IP address will allow the log to identify both the true source and destination of all requests. The default format of the main Access Log contains the hostname of the destination, not the IP address.

Resolution

The steps to define the new Access Log follow:

Step 1: Define an Access Log format that contains the variables:
s-supplier-name - Name of the site being accessed
s-supplier-ip - IP address of the site being accessed.
  1. Go to: Configuration > Access Logging > Formats.
  2. Click New.
  3. Create a format called Attack_format.
  4. Click Apply.
  5. Click Edit/view.
  6. Change the format to the following string:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation s-supplier-name s-supplier-ip

7. Click Apply.
    Step 2. Next create a log that has Attack_format as its format.
    1. Go to Configuration > Access logging > logs
    2. Click New, and add a name such as attack_alog.
    3. In the pull down, chose the format you created previously (Attack_format).
    4. Click Apply.

    Step 3. Create policy that will write to the new log, attack_alog. Do the following
    1. In the VPM, create a new Web Access Layer.
    2. Add a rule, Source = any, Destination = any, Service = any, Time = any, Action > Modify access log.
    3. Chose Enabling logging to attack_alog.
    4. Install the policy.

    4. Finally, configure the upload client to be the FTP client.

    Using the log attack_alog, you will be able to identify the source of an attack on a website.