cancel
Showing results for 
Search instead for 
Did you mean: 

Investigation/identification of WAF Parameter violations from archived F5 ASM security logs

Preet_pk
Nimbostratus
Nimbostratus

Hi,

 

In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.

 

Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.

 

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>

1 REPLY 1

samstep
MVP
MVP

settingsPanel:officeStreet=LTD (ENOC) LLC

 

The metacharacters causing the violation are the brackets ( and ) - ASCII code 40 & 41