IBM Support

QRadar: Large number of 'Potential DoS Attack via Web Server Response Time' events seen in Log Activity from Anomaly Detection Engine Log Source

Troubleshooting


Problem

A large number of 'Potential DoS Attack via Web Server Response Time' events can be seen in Log Activity QRadar SIEM.

Cause

These events are generated by the Anomaly Detection Engine (ADE) Log Source. The events can be seen even when the Anomaly Detection Engine (ADE) Log Source has been disabled in the QRadar Console UI.

Diagnosing The Problem

To find out which Global Views have a data_type of SENTRY run the following command.
psql -U qradar -c "select * from global_views where data_type='SENTRY' and deleted='f';"
 id | data_type | record_id | deleted |
                                                                                                               xml_data


----+-----------+-----------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------
  6 | SENTRY    |         2 | f       | <?xml version="1.0" encoding="UTF-8"?><com.q1labs.cve.sentry.VolumeAnomalySentry id="2" name="Potential DoS Attack via Web Server Response Time_
Sentry" owner="user.name" counterTTL="21600000" severity="8" credibility="7" relevance="8" qid="6" category="11003" silenceThreshold="-Infinity" lastModificationTime="1643294400343
" bigWin="21600" smallWin="1800" delta="0.4"><serializer class="com.q1labs.core.types.event.NormalizedEventProperties$DestinationIP"></serializer></com.q1labs.cve.sentry.VolumeAnomalyS
entry>
  8 | SENTRY    |         4 | f       | <?xml version="1.0" encoding="UTF-8"?><com.q1labs.cve.sentry.VolumeAnomalySentry id="4" name="Potential DoS Attack via Web Server Response Time_
Sentry" owner="admin" counterTTL="21600000" severity="5" credibility="5" relevance="5" qid="4" category="11003" silenceThreshold="-Infinity" lastModificationTime="1645043039416" bigWin
="21600" smallWin="1800" delta="0.4"><serializer class="com.q1labs.core.types.event.NormalizedEventProperties$DestinationIP"></serializer></com.q1labs.cve.sentry.VolumeAnomalySentry>
(2 rows)

Resolving The Problem

To resolve the issue, the Global Views that are returned from the previous command need to be marked as deleted in the Database.
  1. For the changes to take effect the tomcat and hostcontext services must be restarted in the following order:
    psql -U qradar -c "update global_views set deleted='t' where id=6;"
    psql -U qradar -c "update global_views set deleted='t' where id=8;"
  2. To mark the Global Views as Deleted run the following commands.
    systemctl stop tomcat
    systemctl stop hostcontext
    
    systemctl start hostcontext
    systemctl start tomcat
Result: When the 'SENTRY' Global Views are set to Deleted and the tomcat and the hostcontext services have been restarted the Anomaly Detection Engine (ADE)  Log Source stop sending the 'Potential DoS Attack via Web Server Response Time' events.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS010255615","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"}]

Document Information

Modified date:
15 May 2024

UID

ibm17151106