For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

seilemor_131269's avatar
seilemor_131269
Icon for Altostratus rankAltostratus
Sep 30, 2015

Violation report has been truncated

Hello,

 

I've the problem that within a request many violations has been triggeret but I can not see all regarding violations. The violations which I can see are already learned. Instead of some additional violations which are currently in enforcement mode I'll see the message "Not all violation details were logged for this request due to the large number of violation details"

 

If I try to google the problem I'll find only some entries which telling me that I should change the "long_request_buffer_size". This variable is also changed to the maximum of 30MB. A other entry forwards me to the following page "https://support.f5.com/kb/en-us/solutions/public/12000/000/sol12044.html", poorly it will not help me.

 

How can I analze which violation has been triggered the block!?

 

Regards seilemor

 

 

ASM Advanced WAF
deployment
management
security

2 Replies

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Sep 30, 2015

    Hello,

     

    In case of this request, it appears you have all the information you will need. The block was initiated because the HTTP status for the HTTP response from backend server is 409. That is not permitted according to your policy settings, and ultimately that's the cause of user request getting blocked.

     

    If you click on Violations -> "Illegal HTTP status in response". You will probably see a "view details..." link to click on? If there, click on it as it will present you the exact request and violation details. Try the same for your other violations - if the link is not there, you're out of luck.

     

    To prevent the same from happening again in the future, I recommend to tweak your logging solution so that only one production violation (non-staging entity) will be logged per single request. There are admins out there that will disagree, but I personally do not care for all the violation details of a request that violated several rules. The ASM action will be the same as in case of a single violation and that's why the details of a single violation will suffice, unless you really want to apply a different action in case of multiple violations.

     

  • seilemor_131269's avatar
    seilemor_131269
    Icon for Altostratus rankAltostratus
    Sep 30, 2015

    Hey,

     

    can you explain me how I can reconfigure my logging settings!?

     

    If I click the violation "Illegal HTTP status in response" within the report I only receive a little window in which I see that the response code 409 has triggered the violation. I've added the response code to the allowed reponse code and have adviced the user that he should recheck the page.