cancel
Showing results for 
Search instead for 
Did you mean: 

Investigation/identification of WAF Parameter violations from archived F5 ASM security logs

Preet_pk
Nimbostratus
Nimbostratus

Hi,

 

In our environment, F ASM logs older than 2hrs are getting cleared out. Some ASM support-ID event logs are also not getting saved/captured locally.

 

Kindly let me know how to figure out parameter name, value & metacharacter from below archive logs.

 

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>3f2e5cb5c65bb-c003000000000000</block><alarm>403f2e5cb5c65bb-c003000000000000</alarm><learn>403f0e5cb5c65bb-c000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>c2V0dGluZ3NQYW5lbDpvZmZpY2VTdHJlZXQ=</name><value>TFREIChFTk9DKSBMTEM=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>40</metachar_index><metachar_index>41</metachar_index></violation></request-violations></BAD_MSG>

3 REPLIES 3

ragunath154
Cirrus
Cirrus

for time being you can enable the Guranteed logging in the logging profile to log all illegal request, but caution is, it will fill the DISK very fast if you have huge request logs.

other way like the way the BIGIQ and DCD logging.

Preet_pk
Nimbostratus
Nimbostratus

Thanks for the response.

 

But is there any option to figure out parameter name, value & metacharacter from above archived logs.

Hi Preet.pkm

 

Using Guarantee Logging will not help. When you store the logs locally, the logging utility may compete for system resources (this might be the case when you are under attack). Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications. However Guarantee Logging will not extend the time logs are stored locally.

 

Second, I would recommend enable remote logging. With two hours of local logs, you will not go anyway for.

Local logging is for analyzing what is going on right now. For forensics I recommend remote logging.

Analyzing archived logs will not make you happy on the long run.

 

KR

Daniel