For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Mar 05, 2015

Attack type in ASM::violation_data always blank

Howdy.

With an iRule logging ASM events over HSL, we use ASM::violation_data on 10.2.4. the 5th field, attack type, is apparently ALWAYS blank.

If I just do a log local0. [ASM::violation_data] and spoof a directory traversal I can see...

Mar  5 10:58:57 local/tmm1 info tmm1[4923]: Rule hsl_logging_irule : VIOLATION_ATTACK_SIGNATURE_DETECTED 4316674533163547263 str_apache_class Informational 10.123.45.6 {} blocked

Any clues??

Thanks

Chris

application delivery
ASM Advanced WAF
LTM
security

2 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Mar 05, 2015

    Chris,

     

    According to the wiki ASM::violation that's not quite how this command works. It has multiple, delimited, fields. Hopefully the wiki will give you a steer on capturing the violation type.

     

    Hope this helps,

     

    N

     

  • Chris_Phillips's avatar
    Chris_Phillips
    Icon for Nimbostratus rankNimbostratus
    Mar 05, 2015

    I'm just dumping it out to prove a point, I'm comfortable using the data list in a more formal way, I just need to know why it's always empty and if this can be addressed as I would, in line with the wiki expect a raft of useful description tags to be in that field, but clearly it's empty.