Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Investigation/identification of WAF Parameter violations from archived F5 ASM security logs

Preet_pk
Altostratus
Altostratus

‎31-Aug-2021 04:27

Hi,

 

In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.

 

Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.

 

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>

Labels:
0 Kudos
3 REPLIES 3

ragunath154
Cirrostratus
Cirrostratus

‎31-Aug-2021 06:24

for time being you can enable the Guranteed logging in the logging profile to log all illegal request, but caution is, it will fill the DISK very fast if you have huge request logs.

other way like the way the BIGIQ and DCD logging.

0 Kudos

Preet_pk
Altostratus
Altostratus

‎31-Aug-2021 23:19

Thanks for the response.

 

But is there any option to figure out parameter name, value & metacharacter from above archived logs.

0 Kudos

Daniel_Wolf
MVP
MVP

‎01-Sep-2021 02:33

Hi Preet.pkm

 

Using Guarantee Logging will not help. When you store the logs locally, the logging utility may compete for system resources (this might be the case when you are under attack). Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications. However Guarantee Logging will not extend the time logs are stored locally.

 

Second, I would recommend enable remote logging. With two hours of local logs, you will not go anyway for.

Local logging is for analyzing what is going on right now. For forensics I recommend remote logging.

Analyzing archived logs will not make you happy on the long run.

 

KR

Daniel

0 Kudos
Copyright © 2023 Khoros, LLC