Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Investigation/identification of WAF violations from archived F5 ASM security logs

Preet_pk
Altostratus
Altostratus

‎22-Aug-2021 05:30

Hi,

 

In our infrastructure, F5 ASM application events are available only for 2 hrs, logs which are older that 2 hrs is getting purged out. Please let me know how to identify/investigate violations for eg: invalid meta character from archived F5 ASM logs.

 

For eg: how to identify from below logs, which parameter metacharacter is getting block.

 

<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>7300e85b1979c8-4003000000000000</block><alarm>7702e85b1979c8-4003000000000000</alarm><learn>7300e85b1979c8-4000000000000000</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>TE9BRF9QT1JU</name><value>QkVORUZJQ0lBUlknUyBXQVJFSE9VU0UgSU4gVUFFIEFORC9PUiBLVVdBSVQ=</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation><violation><viol_index>24</viol_index><viol_name>VIOL_PARAMETER_VALUE_METACHAR</viol_name><parameter_data><value_error/><enforcement_level>URL</enforcement_level><name>REVTVF9QT1JU</name><value>QVBQTElDQU5UJ1MgV0FSRUhPVVNFIElOIEFCVSBESEFCSQ==</value></parameter_data><staging>0</staging><language_type>4</language_type><metachar_index>39</metachar_index></violation></request-violations></BAD_MSG>

Labels:
0 Kudos
4 REPLIES 4

Daniel_Wolf
MVP
MVP

‎22-Aug-2021 10:11

Hi Preet,

 

I think I figured it out.

<metachar_index>39</metachar_index>

DECIMAL: 39

BINARY: 0010 0111

According to RFC 20 this should be an ' (apostrophe).

 

Can you confirm?

 

KR

Daniel

 

0 Kudos

Preet_pk
Altostratus
Altostratus

‎22-Aug-2021 11:19

Hi,

 

Please let me know how you figured it out, can you help me with the steps to figure out the same.

0 Kudos

Daniel_Wolf
MVP
MVP
In response to Preet_pk

‎22-Aug-2021 11:50 - last edited on ‎04-Jun-2023 19:19 by Fog

I tried to find some way that the 39 made sense. I found K6998 and I exported one of my Security Polices to XML. There you will find something like:

      <metachar character="0x22">disallow</metachar>
      <metachar character="0x23">allow</metachar>
      <metachar character="0x24">allow</metachar>
      <metachar character="0x25">disallow</metachar>
      <metachar character="0x26">allow</metachar>
      <metachar character="0x27">allow</metachar>

On position 39 you will find 0x27. Now I knew the HEX and DEC representation of the character.

With this information I found the binary value and I could reverse it from the table in the RFC.

I tried a couple of other values to verify that my assumption is correct.

Preet_pk
Altostratus
Altostratus

‎31-Aug-2021 04:06

Thanks for above details. Also just want know how to figure out below values.

 

<enforcement_level>URL</enforcement_level><name>REVTVF9QT1JU</name><value>QVBQTElDQU5UJ1MgV0FSRUhPVVNFIElOIEFCVSBESEFCSQ==</value>

0 Kudos
Copyright © 2023 Khoros, LLC