Forum Discussion

Marc_LeBeau's avatar
Marc_LeBeau
Icon for Nimbostratus rankNimbostratus
Oct 22, 2015

ASM - violation_details - Any documentation?

I'm looking for documentation on the violation_details XML output for 11.x. I'm trying to understand more about the individual messages. Below is an example. This is for signature 200007002 which I can see in the details, and the signature name is Directory Traversal attempt ""/..%255c. When I check the ASM GUI I do see this string captured and the violation details in the ASM GUI call it out highlighted all friendly-like. The violation details in the syslog give no indication of this. Because the logs are truncated in the GUI and the actual syslog, the user request portion does not have the attack either.

 

So some documentation would be helpful since each violation has a different core set of information. Violation_details is also listed in the manual to contain the full information so it is confusing as to why the GUI would show the attack clear as day when selecting violation details, but the syslog contains rather values that look more like cookies and no it was not a session cookie or any parameter with a name matching below that was hit.

 

Thoughts? :D

 

42VIOL_ATTACK_SIGNATURErequest2000070026c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=618

 

ASM Advanced WAF
security
syslog
violation
  • Marc_LeBeau's avatar
    Marc_LeBeau
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2015
    Looks like something truncated my log here too! I've replaced all forward slashes which end a tag with ~ and then I've replaced all open & close script tags with ( ) so we'll see if this works... (?xml version='1.0' encoding='UTF-8'?)(BAD_MSG)(request-violations)(violation)(viol_index)42(~viol_index)(viol_name)VIOL_ATTACK_SIGNATURE(~viol_name)(context)request(~context)(sig_data)(sig_id)200007002(~sig_id)(blocking_mask)6(~blocking_mask)(kw_data)(buffer)c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=(~buffer)(offset)61(~offset)(length)8(~length)(~kw_data)(~sig_data)(~violation)(~request-violations)(~BAD_MSG)
  • Tim_K_92675's avatar
    Tim_K_92675
    Icon for Cirrostratus rankCirrostratus
    Oct 22, 2015

    The output in the buffer tag is base64 encoded....

     

    selectedProviderName=1122&selectedDateRange=2years&startDate=/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%

     

    Here are some docs you may find useful with respect to remote logging:

     

    https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9435.html

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-3-0/10.html

     

    • Marc_LeBeau's avatar
      Marc_LeBeau
      Icon for Nimbostratus rankNimbostratus
      Oct 23, 2015
      holy heck Batman you are freaking awesome! B64 makes sense too cuz it looked like somethin similar but it just wasn't clickin for me. You're a Rockstar Tim!
    • Alex_104543's avatar
      Alex_104543
      Icon for Cirrus rankCirrus
      Aug 15, 2016

      That really helped :) I was sieving through some raw logs & couldn't quite figure out the encoded violation details at first.