Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 22, 2021

Investigation/identification of WAF violations from archived F5 ASM security logs

Hi,   In our infrastructure, F5 ASM application events are available only for 2 hrs, logs which are older that 2 hrs is getting purged out. Please let me know how to identify/investigate violati...
application delivery
ASM Advanced WAF
Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus

Hi,

 

Please let me know how you figured it out, can you help me with the steps to figure out the same.

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Aug 22, 2021

I tried to find some way that the 39 made sense. I found K6998 and I exported one of my Security Polices to XML. There you will find something like:

      <metachar character="0x22">disallow</metachar>
      <metachar character="0x23">allow</metachar>
      <metachar character="0x24">allow</metachar>
      <metachar character="0x25">disallow</metachar>
      <metachar character="0x26">allow</metachar>
      <metachar character="0x27">allow</metachar>

On position 39 you will find 0x27. Now I knew the HEX and DEC representation of the character.

With this information I found the binary value and I could reverse it from the table in the RFC.

I tried a couple of other values to verify that my assumption is correct.