Forum Discussion

Marc_LeBeau's avatar
Marc_LeBeau
Icon for Nimbostratus rankNimbostratus
Oct 22, 2015

ASM - violation_details - Any documentation?

I'm looking for documentation on the violation_details XML output for 11.x. I'm trying to understand more about the individual messages. Below is an example. This is for signature 200007002 which I can see in the details, and the signature name is Directory Traversal attempt ""/..%255c. When I check the ASM GUI I do see this string captured and the violation details in the ASM GUI call it out highlighted all friendly-like. The violation details in the syslog give no indication of this. Because the logs are truncated in the GUI and the actual syslog, the user request portion does not have the attack either.

 

So some documentation would be helpful since each violation has a different core set of information. Violation_details is also listed in the manual to contain the full information so it is confusing as to why the GUI would show the attack clear as day when selecting violation details, but the syslog contains rather values that look more like cookies and no it was not a session cookie or any parameter with a name matching below that was hit.

 

Thoughts? :D

 

42VIOL_ATTACK_SIGNATURErequest2000070026c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=618

 

  • Looks like something truncated my log here too! I've replaced all forward slashes which end a tag with ~ and then I've replaced all open & close script tags with ( ) so we'll see if this works... (?xml version='1.0' encoding='UTF-8'?)(BAD_MSG)(request-violations)(violation)(viol_index)42(~viol_index)(viol_name)VIOL_ATTACK_SIGNATURE(~viol_name)(context)request(~context)(sig_data)(sig_id)200007002(~sig_id)(blocking_mask)6(~blocking_mask)(kw_data)(buffer)c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=(~buffer)(offset)61(~offset)(length)8(~length)(~kw_data)(~sig_data)(~violation)(~request-violations)(~BAD_MSG)
  • The output in the buffer tag is base64 encoded....

     

    selectedProviderName=1122&selectedDateRange=2years&startDate=/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%

     

    Here are some docs you may find useful with respect to remote logging:

     

    https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9435.html

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-3-0/10.html

     

    • Marc_LeBeau's avatar
      Marc_LeBeau
      Icon for Nimbostratus rankNimbostratus
      holy heck Batman you are freaking awesome! B64 makes sense too cuz it looked like somethin similar but it just wasn't clickin for me. You're a Rockstar Tim!
    • Alex_104543's avatar
      Alex_104543
      Icon for Cirrus rankCirrus

      That really helped :) I was sieving through some raw logs & couldn't quite figure out the encoded violation details at first.