Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 31, 2021

Investigation/identification of WAF Parameter violations from archived F5 ASM security logs

Hi,

 

In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.

 

Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.

 

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>

  • for time being you can enable the Guranteed logging in the logging profile to log all illegal request, but caution is, it will fill the DISK very fast if you have huge request logs.

    other way like the way the BIGIQ and DCD logging.

  • Thanks for the response.

     

    But is there any option to figure out parameter name, value & metacharacter from above archived logs.

  • Hi Preet.pkm

     

    Using Guarantee Logging will not help. When you store the logs locally, the logging utility may compete for system resources (this might be the case when you are under attack). Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications. However Guarantee Logging will not extend the time logs are stored locally.

     

    Second, I would recommend enable remote logging. With two hours of local logs, you will not go anyway for.

    Local logging is for analyzing what is going on right now. For forensics I recommend remote logging.

    Analyzing archived logs will not make you happy on the long run.

     

    KR

    Daniel