Forum Discussion
Preet_pk
Cirrus
CirrusInvestigation/identification of WAF Parameter violations from archived F5 ASM security logs
Hi,
In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.
Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.
<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>
samstepCirrocumulus
settingsPanel:officeStreet=LTD (ENOC) LLC
The metacharacters causing the violation are the brackets ( and ) - ASCII code 40 & 41