Understanding Warnings In Log File
Hello I am seeing these two warnings: Tue Nov 6 10:57:46 EST 2018warningxxxxF5-1tmm1[12459]01260009Connection error: hud_ssl_handler:1230: codec alert (20) Tue Nov 6 11:09:16 EST 2018warningxxxxF5-1tmm2[12459]01260009Connection error: ssl_passthru:4021: not SSL (40) I am not sure how/where to start looking to see if this is an issue that I need to address and if so, how. Could someone point me in the right direction? Thanks! Eric
Is it possible to set multiple IPs in the Source IP Address of the advanced ASM Event log search?
Hi, I want to exclude a couple IPs from the event logs I am looking at. I can set the drop down to 'is not' for the Source IP field and enter one IP address, removing this one IP from the event logs I am searching. Is there an operator or something similar that I can use to separate multiple IPs to remove more than one IP from the event logs? Thank You. Kind Regards Chris
No Event logs for particular policy
Hi, We are facing a strange issue where for one particular ASM policy, we are not getting any Event logs or there are no alerts in Manual traffic learning. However, all the logs from ASM are pushed to Arcsight. We have dedicated Arcsight team, who are raising alerts saying from "x.x.x.x" source ip we are seeing SQLi, path traversal, xss attack and so on. When we navigate to event logs to filter the illegal request from "x.x.x.x", we are not seeing any events / alerts. We checked the manual traffic learning also, nothing is populated there also. Kindly some one give any pointers on how to solve this issue? Let us know if anything else is needed. PS:The ASM policy is currently in Transparent mode and the response code for the above mentioned attack are 404. Best, Raghav