For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 22, 2021

Investigation/identification of WAF violations from archived F5 ASM security logs

Hi,   In our infrastructure, F5 ASM application events are available only for 2 hrs, logs which are older that 2 hrs is getting purged out. Please let me know how to identify/investigate violati...
application delivery
ASM Advanced WAF
Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 22, 2021

Hi,

 

Please let me know how you figured it out, can you help me with the steps to figure out the same.

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Aug 22, 2021

I tried to find some way that the 39 made sense. I found K6998 and I exported one of my Security Polices to XML. There you will find something like:

      <metachar character="0x22">disallow</metachar>
      <metachar character="0x23">allow</metachar>
      <metachar character="0x24">allow</metachar>
      <metachar character="0x25">disallow</metachar>
      <metachar character="0x26">allow</metachar>
      <metachar character="0x27">allow</metachar>

On position 39 you will find 0x27. Now I knew the HEX and DEC representation of the character.

With this information I found the binary value and I could reverse it from the table in the RFC.

I tried a couple of other values to verify that my assumption is correct.