Forum Discussion

sk_330490's avatar
sk_330490
Icon for Nimbostratus rankNimbostratus
Aug 30, 2018

Logging and identify the violations from staged signatures

I am trying to fix a signature update issue for ASM v12.1.0 here. Signatures are not updated from some time. I wanted to do this in a phase manner now.

 

1) Enabling signature staging for the policy, enable signature staging for updated/new signatures 2) Run a manual update 3) Get through the Enforcement Readiness period of 7 days 4) Check for any violations for staged signatures and enforce the new/updated signatures respectively.

 

Regx point 4, will need some guidance on checking for any violation for staged signatures. We are sending logs to splunk and how do i identify from the log data, if the alert was on a staged signature. Pasting some log snippets below.

 

30/08/2018 11:07:54.000 Aug 30 11:07:54 xxxx.net.au ASM: f5_asm=Splunk-F5-ASM,attack_type="",date_time="2018-08-30 11:07:54",dest_ip=x.x.x.x,dest_port=xxxx,geo_info="US",http_class="/Common/VS_Test",ip_addr_intelli="N/A",ip_client=x.x.x.x,ip_route_domain="x.x.x.x%0",is_trunct=truncated,manage_ip_addr=x.x.x.x,method="POST",policy_apply_date="2018-05-31 10:08:09",policy_name="/Common/VS_Test",protocol="HTTP",query_str="",req_status="passed",resp_code="200",route_domain="0",session_id="4353fdsad4dd",severity="Informational",sig_ids="",sig_names="",src_port="27603",sub_violates="",support_id="17873574374868071705",unit_host="xxxxxxxxxxxxxxxx",uri="/abc/xyz",username="N/A",violate_details="44f3d1e143060702-000000000000000044f3d1e143060702-000000000000000044f3d1e143262702-0000000000000000000040c100240000-0000000000000000

 

2 Replies

  • Can't remember if it applies to 12.1.x too, but on 13.1.1 one can

    • set the logging profile to log
      Illegal requests, and requests that include staged attack signatures
    • in the Event log Requests, you can change the filter to
      • Basic panel/ Requests Status => unselect "Illegal"
      • IP/Username/URL panel/ Violation => select "Staged Violation"
  • With remote logging, you can also configure requests type of

    Illegal requests, and requests that include staged attack signatures
    .

    In the available item lists, you'll see

    • staged_sig_ids
    • staged_sig_names
    • staged_sig_set_names