ASM violate_details construction explained

Question

We send the ASM log to a 3rd party SIEM.  I could not find a document explaining the detail of the XML variable "violate_details".
The parameter name &amp; value are Base64 encoded.
Does anyone has any clue ?
e.g.:

0
what does 0 means here
or
048600240b20048a-c002000000000000
0000000000200000-0000000000000000
What do these values represent
or
600000063
What is this sig_id ?  Attack Signature does not exist

e.g.:

`048600240b20048a-c0020000000000001c86f2ffebbf6fea-c1120000000000000000000000200000-00000000000000000000000000000000-000000000000000042VIOL_ATTACK_SIGNATURErequest2000000747cjogNDVlYTIwN2Q3YTJiNjhjNDk1ODJkMmQyMmFkZjk1M2FhZHN8YTozOntzOjM6Im51bSI7czoyMDc6IiovIHNlbGVjdCAxLDB4MjcyMDc1NmU2OTZmNmUyZjJhLDMsNCw1LDYsNyw4LDB4N2IyNDdiMjQ0ODdhNmM2YzYxNjc=60102000023137IjtzOjIwNzoiKi8gc2VsZWN0IDEsMHgyNzIwNzU2ZTY5NmY2ZTJmMmEsMyw0LDUsNiw3LDgsMHg3YjI0N2IyNDQ4N2E2YzZjNjE2NzYxMjc1ZDNiNjU3NjYxNmMyZjJhMmEyZjI4NjI2MTczNjUzNjM0NWY2NDY1NjM2ZjY0NjU=11272000023117ZWEyMDdkN2EyYjY4YzQ5NTgyZDJkMjJhZGY5NTNhYWRzfGE6Mzp7czozOiJudW0iO3M6MjA3OiIqLyBzZWxlY3QgMSwweDI3MjA3NTZlNjk2ZjZlMmYyYSwzLDQsNSw2LDcsOCwweDdiMjQ3YjI0NDg3YTZjNmM2MTY3NjEyNzU=59112000025517MzYyNDc0NjZlNTk1NjMwNzA0Zjc3M2QzZDI3MjkyOTNiMmYyZjdkN2QsMC0tIjtzOjI6ImlkIjtzOjk6IicgdW5pb24vKiI7czo0OiJuYW1lIjtzOjM6ImFkcyI7fTQ1ZWEyMDdkN2EyYjY4YzQ5NTgyZDJkMjJhZGY5NTNhDQo=61742VIOL_ATTACK_SIGNATUREparameterglobalaHpsbGFnYQ==ZXZhbC8qKi8oYmFzZTY0X2RlY29kZSgkX1BPU1RbZF0pKTtlY2hvIEh6bGxhZ2FSQ0VUZXN0T0s7ZXhpdDs=006000000637aHpsbGFnYT1ldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW2RdKSk7ZWNobyBIemxsYWdhUkNFVGVzdE9LO2V4aXQ7852000013247aHpsbGFnYT1ldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW2RdKSk7ZWNobyBIemxsYWdhUkNFVGVzdE9LO2V4aXQ78542VIOL_ATTACK_SIGNATUREparameterglobalaHpsbGFnYQ==ZXZhbC8qKi8oYmFzZTY0X2RlY29kZSgkX1BPU1RbZF0pKTtlY2hvIEh6bGxhZ2FSQ0VUZXN0T0s7ZXhpdDs=006000000637aHpsbGFnYT1ldmFsLyoqLyhiYXNlNjRfZGVjb2RlKCRfUE9TVFtkXSkpO2VjaG8gSHpsbGFnYVJDRVRlc3RPSztleGl0Ow==892000013247aHpsbGFnYT1ldmFsLyoqLyhiYXNlNjRfZGVjb2RlKCRfUE9TVFtkXSkpO2VjaG8gSHpsbGFnYVJDRVRlc3RPSztleGl0Ow==8939VIOL_FILETYPEcGhw90169

samstep · Answer

The problem seem to be in the SIEM and its format. To assist the investigation it is best to use SupportID to search for the request which triggered the violation in F5 ASM WEB GUI and compare with the one logged by SIEM

Forum Discussion

ASM violate_details construction explained

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

DevCentral Community Ranking Explained

HTTP Explicit Proxy Explained in Plain English

TLS Caching Explained on BIG-IP

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Lightboard Lessons: Explaining TLS 1.3