Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Logging and identify the violations from staged signatures

sk_330490
Nimbostratus
Nimbostratus

‎29-Aug-2018 18:34

I am trying to fix a signature update issue for ASM v12.1.0 here. Signatures are not updated from some time. I wanted to do this in a phase manner now.

 

1) Enabling signature staging for the policy, enable signature staging for updated/new signatures 2) Run a manual update 3) Get through the Enforcement Readiness period of 7 days 4) Check for any violations for staged signatures and enforce the new/updated signatures respectively.

 

Regx point 4, will need some guidance on checking for any violation for staged signatures. We are sending logs to splunk and how do i identify from the log data, if the alert was on a staged signature. Pasting some log snippets below.

 

30/08/2018 11:07:54.000 Aug 30 11:07:54 xxxx.net.au ASM: f5_asm=Splunk-F5-ASM,attack_type="",date_time="2018-08-30 11:07:54",dest_ip=x.x.x.x,dest_port=xxxx,geo_info="US",http_class="/Common/VS_Test",ip_addr_intelli="N/A",ip_client=x.x.x.x,ip_route_domain="x.x.x.x%0",is_trunct=truncated,manage_ip_addr=x.x.x.x,method="POST",policy_apply_date="2018-05-31 10:08:09",policy_name="/Common/VS_Test",protocol="HTTP",query_str="",req_status="passed",resp_code="200",route_domain="0",session_id="4353fdsad4dd",severity="Informational",sig_ids="",sig_names="",src_port="27603",sub_violates="",support_id="17873574374868071705",unit_host="xxxxxxxxxxxxxxxx",uri="/abc/xyz",username="N/A",violate_details="44f3d1e143060702-000000000000000044f3d1e143060702-000000000000000044f3d1e143262702-0000000000000000000040c100240000-0000000000000000

 

Labels:
0 Kudos
2 REPLIES 2

amolari
Cirrus
Cirrus

‎30-Aug-2018 03:15 - last edited on ‎05-Jun-2023 21:57 by Fog

Can't remember if it applies to 12.1.x too, but on 13.1.1 one can

  • set the logging profile to log 
    Illegal requests, and requests that include staged attack signatures
  • in the Event log Requests, you can change the filter to
    • Basic panel/ Requests Status => unselect "Illegal"
    • IP/Username/URL panel/ Violation => select "Staged Violation"
0 Kudos

amolari
Cirrus
Cirrus

‎30-Aug-2018 23:40 - last edited on ‎05-Jun-2023 21:56 by Fog

With remote logging, you can also configure requests type of 

Illegal requests, and requests that include staged attack signatures
.

In the available item lists, you'll see

  • staged_sig_ids
  • staged_sig_names
  • staged_sig_set_names
0 Kudos
Copyright © 2023 Khoros, LLC