ASM bd daemon crash while processing request body (SIGSEGV) – anyone seen similar behavior?
Hello folks I am currently investigating a recurring ASM bd daemon crash (SIGSEGV) on a BIG-IP system and would like to ask if anyone has seen something similar. It looks like the crash occurs during dynamic parameter inspection or metacharacter validation in request body parameters. Environment: • BIG-IP version: started 16.1.6.1 I tried update to 17.1.3 -> now 17.1.3.1 b.006 • Traffic type: mobile application API traffic • Requests contain JSON payloads in POST body • Content-Type: application/json • Some requests are also gzip encoded Symptoms: The bd process crashes intermittently under normal production traffic. After the crash, the system generates a core dump for bd. From initial analysis of the core file we can see that the crash happens while ASM is processing request parameters inside the request body. Relevant strings found in the core dump include: handle_dynamic_param_name_checks VIOL_PARAMETER_VALUE_METACHAR check_user_input_value ALPHA_NUMERIC checks len We also see that ASM is constructing a request logging record at the moment of the crash (internal #S... formatted record used by ASM logging). Example snippet from memory: #Sprotocol=HTTP #Sresponse=Only illegal requests are logged #Sroute_domain=0 #Ssession_id=... #SHeaders=POST ... This suggests the crash occurs while ASM is processing a request and preparing a security event/log record.
How to add Syslog headers to Bot Defense logs over HSL? (Missing formatting options)
Hi DevCentral Community, I am running into issue with logging Bot Defense events to our SEIM (AIsaac) and could use some advice on best practices. We have logging profile configured to send both Application Security (ASM) and Bot Defense logs to a Remote Publisher. The Publisher is currently tied to a Remote HSL(High-Speed-Logging) destination. The Problem: For standard ASM WAF logs, we can easily format the log string directly in the GUI under the Applications Security logging tab. However, under the Bot Defense logging tab, there is no option to customize the log format. Because it is sending directly to a raw HSL destination, the Bot Defense logs are arriving at out SEIM completely stripped of standard Syslog headers. Without these headers, the SEIM cannot parse the logs correctly. My Questions: Is inserting a Syslog formatted destination before the HSL destination the official way to inject standard headers into Bot Defense logs? Is there any hidden tmsh command or iRule method to actually customize the Bot Defense log payload format, or is the payload structure strictly fixed by the system?
Base64 decoding issue (JSON request)
Hello Everyone, i'm facing an issue with Base64 decoding on F5 ASM. the request body look like this: Original message before encoding { "data": { "name":"khaled", "Age":"30", "Car":"BMW", "Conutry":"Egypt", "City":"Cairo" } } The developer encoded only the value part of the key {"data":"IHsKICAgICAgICAibmFtZSI6ICJraGFsZWQiLAogICAgICAgICJBZ2UiOiAiMzAiLAogICAgICAgICJDYXIiOiAiQk1XIiwKICAgICAgICAiQ29udXRyeSI6ICJFZ3lwdCIsCiAgICAgICAgIkNpdHkiOiAiQ2Fpcm8iCiAgICB9"} i created JSON profile and base64 decoding is required: When F5 ASM decode the request body, the value part is decoded correctly but "data" become garbage. because ASM doesn't know that the part of the request is encoded not the whole request body, how can i fix this behavior. after decoding: uZ { "name": "khaled", "Age": "30", "Car": "BMW", "Conutry": "Egypt", "City": "Cairo" } i searched to fix this issue, and i found this Securing Base64-Encoded Parameters , i added "data" parameter then For the Parameter Value Type setting, select User-input value. On the Data Type tab, for the Data Type setting, select either Alpha-Numeric or File Upload. Select the Base64 Decoding check box if you want the system to apply base64 decoding to values for this parameter. When i changed the profile to disable decoding on the request body, a lot of violations triggered (meta chars) { } " : {"data":"IHsKICAgICAgICAibmFtZSI6ICJraGFsZWQiLAogICAgICAgICJBZ2UiOiAiMzAiLAogICAgICAgICJDYXIiOiAiQk1XIiwKICAgICAgICAiQ29udXRyeSI6ICJFZ3lwdCIsCiAgICAgICAgIkNpdHkiOiAiQ2Fpcm8iCiAgICB9"}
AWS F5_OWASP Managed Rule Blocking requests
AWS F5 OWASP managed rules are blocking requests all of a sudden (23-01-2025) We want to understand if there was any update made and also the changelog for this update and which rules were updated. Where do I find this information and AWS is not supporting these rules since these are managed by F5. Do we have a way to reach the vendor ?
Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules
Hi all, We're subscribed to the "F5 Rules for AWS WAF - Web exploits OWASP Rules" rules for AWS WAF via Marketplace, and we're looking at the labels that are added to events passing through the WAF. Currently we see only a single label added to all the events, regardless of which rule triggered a match, the label is: "labels": [ { "name": "awswaf:managed:f5:web-exploits-owasp-rules:OWASP4" } ], Is there any way to also see the specific rule that triggered, for example the `ruleId`, which we can see in the logs is `rule_Union_Based_AllQueryArguments_Body`. "terminatingRule": { "ruleId": "rule_Union_Based_AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null }, This would allow us to better handle false positives for specific rules, without disabling the entire thing. Does anyone have any ideas? Thanks
