Akamai WAF
David Edelman
dedelman at iname.com
Sun Oct 21 10:33:48 EDT 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ah, the joys of Akamai WAF and True-Client-IP (instead of X-Forwarded-For)
Since this is a request header, it is going to be in the source user data and it will be encrypted for all https traffic between the Akamai edge and what Akamai calls the origin (your web server.) For http traffic, it will be available and you might want to try a simple experiment to verify its presence.
Change the ratop to plain ra and verify that you can see the request header. Make sure to change the duser:2048 to suser:2048 so that you are seeing the right buffer contents. It sometimes is easier to read if you add -M printer=hex to the command line argument string.
If you see the request header, I anticipate that you will for the http traffic, you can move to ratop (drop the -M printer=hex) and while it is running hit the ‘:’ to get the command line. I believe that if you type ‘s’ you will see the list of fields being displayed and the width arguments if any. You can edit these values and hit enter to enable the change. I’m not sure that the field widths are always transferred to ratop from the command line and I can’t test that where I am.
- --Dave
Dave Edelman
From: Argus-info <argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu> On Behalf Of Monah Baki
Sent: Thursday, October 18, 2018 9:09 AM
To: Eric Kinzie <eric at qosient.com>
Cc: Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Akamai WAF
Hi Eric,
I bumped the ARGUS_CAPTURE_DATA_LEN value to 2048, so running ratop -S localhost:561 -s trans stime saddr:40 sport sco daddr dport dco suser duser:2048, I can't see the rest of the duser column, gets chopped off, probably displays 50 characters only (small monitor). Is there a way to overcome this?
Thanks
Monah
On Thu, Oct 18, 2018 at 8:47 AM Eric Kinzie <eric at qosient.com <mailto:eric at qosient.com> > wrote:
On October 17, 2018 12:47:43 PM EDT, Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com> > wrote:
>Hi all,
>
>We are using akamai WAF services to protect our webserver. Currently
>running the latest argus/client on the webserver. When running ratop,
>the
>SrcAddr shows only the akamai IP
>(a23-212-3-119.deploy.static.akamaitechn*)
>hitting our webserver.
>Akamai confirmed True-Client-IP is enabled and we should be able to see
>the
>real IP in the request header. Can I get this info when using ratop?
>
>
>Trans StartTime SrcAddr
>Sport
>sCo DstAddr Dport dCo srcUdata
> dstUdata
> 14 12:42:39.209029 a23-212-3-119.deploy.static.akamaitechn*.49057
> US www.ntis.gov.https <http://www.ntis.gov.https> ZZ
>s[50]=............s~V-...Tl....x..`...<.#.4^.+..a ..+...
>d[50]=....Y...U..[.f...=...|.I....:.t..?..:Yc...& O.-G].
> 2 12:45:50.752456 a23-212-53-84.deploy.static.akamaitechn*.61219
> US www.ntis.gov.https <http://www.ntis.gov.https> ZZ
>s[50]=...........g.....E{.K.:S.4..4.e.F_..^.A."Rx o#Rr&3
>d[50]=....Q...M..[.g>.....*..... ....G.as.V..y..d o#Rr&3
>
>
>Thanks
>Monah
Since this value is in the http headers and, in this case, https is used you will not be able to see the address in the Argus user buffers. For non-encrypted http, set the ARGUS_CAPTURE_DATA_LEN to something large enough to get all of the http headers and then the duser column in ratop should show what you want.
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQQP+UHquEepll566aqXCCyZOY1FIQUCW8yOQgAKCRCXCCyZOY1F
IfgdAJ9kn76NjN9FMc8PsYulqX7s3Z5pFQCffeFLqP2zaRxGzCaortLyHrq5CDY=
=WPxX
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20181021/5d317e1c/attachment.html>
More information about the argus
mailing list