ASM::violation full description of all keys
Hello The article on https://devcentral.f5.com/wiki/iRules.ASM__violation.ashx describes how to get the list of found viloations from the ASM::violation definition, which in turn could be used in an iRule. However there are only two examples given for the keys to evaluate violations from attack signatures and length on parameters. The keys do apparently also differ between the type of violation As ASM knows a bit more than those two violations, the question is where to find a definition of all keys for all violation types? I did get creative with google searches and grepping around the BigIP shell, but so far no success. Hope anyone of you can help. Regards Andreas
F5 ASM/AWAF – violations logged but no learning suggestions generated
Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before. Setup: - Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation) - "Illegal Parameter" violation has Learn + Alarm + Block all enabled - Parameter learning mode is set to Always - Violations are appearing correctly in the event logs - no blocked IP addresses exceptions The Problem: Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one on the Traffic Learning page. What I noticed: After digging through the logs, I found a pattern: - the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated - Requests that triggered illegal parameter + illegal URL or illegal file type simultaneously → no learning suggestion generated The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty. My question: Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here? Has anyone run into this and found a workaround other than manually adding parameters from the event log? Thanks in advance.