Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM - violation_details - Any documentation?

I'm looking for documentation on the violation_details XML output for 11.x. I'm trying to understand more about the individual messages. Below is an example. This is for signature 200007002 which I can see in the details, and the signature name is Directory Traversal attempt ""/..%255c. When I check the ASM GUI I do see this string captured and the violation details in the ASM GUI call it out highlighted all friendly-like. The violation details in the syslog give no indication of this. Because the logs are truncated in the GUI and the actual syslog, the user request portion does not have the attack either.

So some documentation would be helpful since each violation has a different core set of information. Violation_details is also listed in the manual to contain the full information so it is confusing as to why the GUI would show the attack clear as day when selecting violation details, but the syslog contains rather values that look more like cookies and no it was not a session cookie or any parameter with a name matching below that was hit.

Thoughts? :D

<?xml version='1.0' encoding='UTF-8'?><request-violations>42VIOL_ATTACK_SIGNATURErequest2000070026c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=618</request-violations>

0
Rate this Question
Comments on this Question
Comment made 22-Oct-2015 by Marc LeBeau 129
Looks like something truncated my log here too! I've replaced all forward slashes which end a tag with ~ and then I've replaced all open & close script tags with ( ) so we'll see if this works... (?xml version='1.0' encoding='UTF-8'?)(BAD_MSG)(request-violations)(violation)(viol_index)42(~viol_index)(viol_name)VIOL_ATTACK_SIGNATURE(~viol_name)(context)request(~context)(sig_data)(sig_id)200007002(~sig_id)(blocking_mask)6(~blocking_mask)(kw_data)(buffer)c2VsZWN0ZWRQcm92aWRlck5hbWU9MTEyMiZzZWxlY3RlZERhdGVSYW5nZT0yeWVhcnMmc3RhcnREYXRlPS8uLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiUyNTVjLi4lMjU1Yy4uJTI1NWMuLiU=(~buffer)(offset)61(~offset)(length)8(~length)(~kw_data)(~sig_data)(~violation)(~request-violations)(~BAD_MSG)
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The output in the buffer tag is base64 encoded....

selectedProviderName=1122&selectedDateRange=2years&startDate=/..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%

Here are some docs you may find useful with respect to remote logging:

https://support.f5.com/kb/en-us/solutions/public/9000/400/sol9435.html

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-3-0/10.html

0
Comments on this Answer
Comment made 23-Oct-2015 by Marc LeBeau 129
holy heck Batman you are freaking awesome! B64 makes sense too cuz it looked like somethin similar but it just wasn't clickin for me. You're a Rockstar Tim!
0
Comment made 15-Aug-2016 by Alex 146

That really helped :) I was sieving through some raw logs & couldn't quite figure out the encoded violation details at first.

0