Forum Discussion

Preet_pk's avatar
Preet_pk
Icon for Cirrus rankCirrus
Aug 31, 2021

Investigation/identification of WAF Parameter violations from archived F5 ASM security logs

Hi,

 

In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.

 

Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.

 

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>

application delivery
ASM Advanced WAF

3 Replies

Sort By
  • ragunath154's avatar
    ragunath154
    Icon for Cirrostratus rankCirrostratus
    Aug 31, 2021

    for time being you can enable the Guranteed logging in the logging profile to log all illegal request, but caution is, it will fill the DISK very fast if you have huge request logs.

    other way like the way the BIGIQ and DCD logging.

  • Preet_pk's avatar
    Preet_pk
    Icon for Cirrus rankCirrus
    Sep 01, 2021

    Thanks for the response.

     

    But is there any option to figure out parameter name, value & metacharacter from above archived logs.

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Sep 01, 2021

    Hi Preet.pkm

     

    Using Guarantee Logging will not help. When you store the logs locally, the logging utility may compete for system resources (this might be the case when you are under attack). Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications. However Guarantee Logging will not extend the time logs are stored locally.

     

    Second, I would recommend enable remote logging. With two hours of local logs, you will not go anyway for.

    Local logging is for analyzing what is going on right now. For forensics I recommend remote logging.

    Analyzing archived logs will not make you happy on the long run.

     

    KR

    Daniel