Troubleshooting
Problem
A large number of 'Potential DoS Attack via Web Server Response Time' events can be seen in Log Activity QRadar SIEM.
Cause
These events are generated by the Anomaly Detection Engine (ADE) Log Source. The events can be seen even when the Anomaly Detection Engine (ADE) Log Source has been disabled in the QRadar Console UI.
Diagnosing The Problem
To find out which Global Views have a data_type of SENTRY run the following command.
psql -U qradar -c "select * from global_views where data_type='SENTRY' and deleted='f';"
id | data_type | record_id | deleted |
xml_data
----+-----------+-----------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------
6 | SENTRY | 2 | f | <?xml version="1.0" encoding="UTF-8"?><com.q1labs.cve.sentry.VolumeAnomalySentry id="2" name="Potential DoS Attack via Web Server Response Time_
Sentry" owner="user.name" counterTTL="21600000" severity="8" credibility="7" relevance="8" qid="6" category="11003" silenceThreshold="-Infinity" lastModificationTime="1643294400343
" bigWin="21600" smallWin="1800" delta="0.4"><serializer class="com.q1labs.core.types.event.NormalizedEventProperties$DestinationIP"></serializer></com.q1labs.cve.sentry.VolumeAnomalyS
entry>
8 | SENTRY | 4 | f | <?xml version="1.0" encoding="UTF-8"?><com.q1labs.cve.sentry.VolumeAnomalySentry id="4" name="Potential DoS Attack via Web Server Response Time_
Sentry" owner="admin" counterTTL="21600000" severity="5" credibility="5" relevance="5" qid="4" category="11003" silenceThreshold="-Infinity" lastModificationTime="1645043039416" bigWin
="21600" smallWin="1800" delta="0.4"><serializer class="com.q1labs.core.types.event.NormalizedEventProperties$DestinationIP"></serializer></com.q1labs.cve.sentry.VolumeAnomalySentry>
(2 rows)
Resolving The Problem
To resolve the issue, the Global Views that are returned from the previous command need to be marked as deleted in the Database.
- For the changes to take effect the tomcat and hostcontext services must be restarted in the following order:
psql -U qradar -c "update global_views set deleted='t' where id=6;" psql -U qradar -c "update global_views set deleted='t' where id=8;"
- To mark the Global Views as Deleted run the following commands.
systemctl stop tomcat systemctl stop hostcontext systemctl start hostcontext systemctl start tomcat
Result: When the 'SENTRY' Global Views are set to Deleted and the tomcat and the hostcontext services have been restarted the Anomaly Detection Engine (ADE) Log Source stop sending the 'Potential DoS Attack via Web Server Response Time' events.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS010255615","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
15 May 2024
UID
ibm17151106