Attack type in ASM::violation_data always blank

Question

Howdy. 
With an iRule logging ASM events over HSL, we use ASM::violation_data on 10.2.4. the 5th field, attack type, is apparently ALWAYS blank. 
If I just do a log local0. [ASM::violation_data] and spoof a directory traversal I can see...
Mar  5 10:58:57 local/tmm1 info tmm1[4923]: Rule hsl_logging_irule : VIOLATION_ATTACK_SIGNATURE_DETECTED 4316674533163547263 str_apache_class Informational 10.123.45.6 {} blocked

Any clues??
Thanks
Chris

nathe · Answer

Chris,&nbsp;
According to the wiki ASM::violation that's not quite how this command works. It has multiple, delimited, fields. Hopefully the wiki will give you a steer on capturing the violation type.&nbsp;
Hope this helps,&nbsp;
N&nbsp;

chris_phillips · Answer

I'm just dumping it out to prove a point, I'm comfortable using the data list in a more formal way, I just need to know why it's always empty and if this can be addressed as I would, in line with the wiki expect a raft of useful description tags to be in that field, but clearly it's empty.

Forum Discussion

Attack type in ASM::violation_data always blank

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

The HTTP/2 CONTINUATION frame attack

ESRP Strategies: DNS Water Torture Attack

Vpn Always connected mode

Security First, Performance Always: How F5 Drives Citrix VDI Excellence in Application Delivery

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security