Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 22, 2021

Investigation/identification of WAF violations from archived F5 ASM security logs

Hi,

 

In our infrastructure, F5 ASM application events are available only for 2 hrs, logs which are older that 2 hrs is getting purged out. Please let me know how to identify/investigate violations for eg: invalid meta character from archived F5 ASM logs.

 

For eg: how to identify from below logs, which parameter metacharacter is getting block.

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>7300e85b1979c8-4003000000000000</block><alarm>7702e85b1979c8-4003000000000000</alarm><learn>7300e85b1979c8-4000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>TE9BRF9QT1JU</name><value>QkVORUZJQ0lBUlknUyBXQVJFSE9VU0UgSU4gVUFFIEFORC9PUiBLVVdBSVQ=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>REVTVF9QT1JU</name><value>QVBQTElDQU5UJ1MgV0FSRUhPVVNFIElOIEFCVSBESEFCSQ==</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation></request-violations></BAD_MSG>

application delivery
ASM Advanced WAF
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Aug 22, 2021

    Hi Preet,

     

    I think I figured it out.

    <metachar_index>39</metachar_index>

    DECIMAL: 39

    BINARY: 0010 0111

    According to RFC 20 this should be an ' (apostrophe).

     

    Can you confirm?

     

    KR

    Daniel

     

  • Preet_pk's avatar
    Preet_pk
    Icon for Cirrus rankCirrus
    Aug 22, 2021

    Hi,

     

    Please let me know how you figured it out, can you help me with the steps to figure out the same.

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Aug 22, 2021

      I tried to find some way that the 39 made sense. I found K6998 and I exported one of my Security Polices to XML. There you will find something like:

            <metachar character="0x22">disallow</metachar>
      <metachar character="0x23">allow</metachar>
      <metachar character="0x24">allow</metachar>
      <metachar character="0x25">disallow</metachar>
      <metachar character="0x26">allow</metachar>
      <metachar character="0x27">allow</metachar>

      On position 39 you will find 0x27. Now I knew the HEX and DEC representation of the character.

      With this information I found the binary value and I could reverse it from the table in the RFC.

      I tried a couple of other values to verify that my assumption is correct.

  • Preet_pk's avatar
    Preet_pk
    Icon for Cirrus rankCirrus
    Aug 31, 2021

    Thanks for above details. Also just want know how to figure out below values.

     

    <enforcement_level>URL</enforcement_level><name>REVTVF9QT1JU</name><value>QVBQTElDQU5UJ1MgV0FSRUhPVVNFIElOIEFCVSBESEFCSQ==</value>