ASM::violation_data¶
Description¶
This command exposes the fields below using a
multiple buffers instance
Note: Starting version 11.5.0 this command is replaced by the
commands ASM::violation, ASM::support_id, ASM::severity and
ASM::client_ip which have more convenient syntax and enhanced options.
It is kept for backward compatibility.
#Position | Field | Description |
0 | Violation | string that contains list of comma separated violations, see below the rquest side and response side violations for value options |
1 | support_id | Unique id given for a transaction |
2 | web_application | ASM Web application name |
3 | Severity | it will be the most critical severity of all the transaction violations, possible values: Emergency, Alert, Critical, Error, Warning, Notice and Informational |
4 | source_ip | Client IP. (in case trust xff option is enabled on the policy, this will be the xff ip |
5 | attack_type | string that contains list of comma separated attack types, see below for value options |
6 | request_status | Can be “blocked” or “alarmed” |
Request Side Violations Table¶
Violation Name | Description |
VIOLATION_EVASION_DETECTED | Evasion technique detected |
VIOLATION_REQUEST_TOO_LONG | Request length exceeds defined buffer size |
VIOLATION_ILLEGAL_INGRESS_OBJECT | Login URL bypassed |
VIOLATION_ILLEGAL_GEOLOCATION | Access from disallowed Geolocation |
VIOLATION_PARSER_EXPIRED_INGRESS_OBJECT | Login URL expired |
VIOLATION_RESPONSE_SCRUBBING | response scrubbing |
VIOLATION_ILLEGAL_SOAP_ATTACHMENT | Illegal attachment in SOAP message |
VIOLATION_MISSING_MANDATORY_HEADER | Mandatory HTTP header is missing |
VIOLATION_HTTP_SANITY_CHECK_FAILED | HTTP protocol compliance failed |
VIOLATION_CHAR_CONV | Failed to convert character |
VIOLATION_MALFORMED_XML | Malformed XML data |
VIOLATION_XML_WSDL | XML data does not comply with schema or WSDL document |
VIOLATION_XML_FORMAT_SETTING | XML data does not comply with format settings |
VIOLATION_PARSER_FAILED_SOAP_SECURITY | Soap security parser failed |
VIOLATION_SOAP_METHOD_NOT_ALLOWED | SOAP method not allowed |
VIOLATION_BRUTE_FORCE_ATTACK_DETECTED | Maximum login attempts are exceeded |
VIOLATION_WEB_SCRAPING_DETECTED | Web scraping detection |
VIOLATION_OBJ_LEN | Illegal URL length |
VIOLATION_COOKIE_LEN | Illegal cookie length |
VIOLATION_REQ_LEN | Illegal request length |
VIOLATION_QS_LEN | Illegal query string length |
VIOLATION_POST_DATA_LEN | Illegal POST data length |
VIOLATION_MULTI_PART_PARAM_VAL | Null in multi-part parameter value |
VIOLATION_HEADER_LEN | Illegal header length |
VIOLATION_METACHAR_IN_OBJ | Illegal meta character in URL |
VIOLATION_METACHAR_IN_PARAM_NAME | Illegal meta character in parameter name |
VIOLATION_METACHAR_IN_DEF_PARAM | Illegal meta character in parameter value |
VIOLATION_OBJ_TYPE | Illegal file type |
VIOLATION_OBJ_DOESNT_EXIST | Non-existent URL |
VIOLATION_FLOW_TO_OBJ | Illegal flow to URL |
VIOLATION_ILLEGAL_METHOD | Illegal method |
VIOLATION_SESSSION_ID_IN_URL | Illegal session ID in URL |
VIOLATION_QS_OR_POST_DATA | Illegal query string or POST data |
VIOLATION_PARAM | Illegal parameter |
VIOLATION_EMPTY_PARAM_VALUE | Illegal empty parameter value |
VIOLATION_STATIC_PARAM_VALUE | Illegal static parameter value |
VIOLATION_DYN_PARAM_VALUE | Illegal dynamic parameter value |
VIOLATION_PARAM_VALUE_LEN | Illegal parameter value length |
VIOLATION_PARAM_DATA_TYPE | Illegal parameter data type |
VIOLATION_PARAM_NUMERIC_VALUE | Illegal parameter numeric value |
VIOLATION_ATTACK_SIGNATURE_DETECTED | Attack signature detected |
VIOLATION_NUM_OF_MANDATORY_PARAMS | Illegal number of mandatory parameters |
VIOLATION_PARAM_VALUE_NOT_MATCHING_REGEX | Parameter value does not comply with regular expression |
VIOLATION_MOD_ASM_COOKIE | Modified ASM cookie |
VIOLATION_MOD_DOMAIN_COOKIE | Modified domain cookie(s) |
VIOLATION_NOT_RFC_COOKIE | Cookie not RFC-compliant |
VIOLATION_ENTRY_POINT | Illegal entry point |
VIOLATION_MSG_KEY | ASM Cookie Highjacking |
VIOLATION_EXPIRED_TIMESTAMP | Expired timestamp |
VIOLATION_METACHAR_IN_HEADER | Illegal meta character in header |
VIOLATION_HTTP_STATUS_IN_RESPONSE | Illegal response http status code |
VIOLATION_DOS_ATTACK_STARTED | Dos attack detected |
Response Side Violations Table¶
Violation Name | Description |
VIOLATION_RESPONSE_SCRUBBING | Information leakage detected |
VIOLATION_HTTP_STATUS_IN_RESPONSE | Illegal HTTP status in response |
VIOLATION_ATTACK_SIGNATURE_DETECTED | Attack signature detected |
VIOLATION_DOS_ATTACK_STARTED | Dos attack detected |
Attack-Type Table¶
The attack type field can have the following value
Attack-Type Name | Description |
ATTACK_TYPE_REMOTE_FILE_INCLUDE | Remote File Include |
ATTACK_TYPE_NON_BROWSER_CLIENT | Non-browser client |
ATTACK_TYPE_OTHER_APPLICATION_ATTACKS | Other Application Attacks |
ATTACK_TYPE_TROJAN_BACKDOOR_SPYWARE | Trojan/Backdoor/Spyware |
ATTACK_TYPE_DETECTION_EVASION | Detection Evasion |
ATTACK_TYPE_VULNERABILITY_SCAN | Vulnerability Scan |
ATTACK_TYPE_ABUSE_OF_FUNCTIONALITY | Abuse of Functionality |
ATTACK_TYPE_AUTHENTICATION_AUTHORIZATION_ATTACKS | Authentication/Authorization Attacks |
ATTACK_TYPE_BUFFER_OVERFLOW | Buffer Overflow |
ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION | Predictable Resource Location |
ATTACK_TYPE_INFORMATION_LEAKAGE | Information Leakage |
ATTACK_TYPE_DIRECTORY_INDEXING | Directory Indexing |
ATTACK_TYPE_PATH_TRAVERSAL | Path Traversal |
ATTACK_TYPE_XPATH_INJECTION | XPath |
ATTACK_TYPE_LDAP_INJECTION | LDAP Injection |
ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION | Server Side Code Injection |
ATTACK_TYPE_COMMAND_EXECUTION | Command Execution |
ATTACK_TYPE_SQL_INJECTION | SQL-Injection |
ATTACK_TYPE_CROSS_SITE_SCRIPTING | Cross Site Scripting (XSS) |
ATTACK_TYPE_DENIAL_OF_SERVICE | Denial of Service |
ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY | Other Application Activity |
ATTACK_TYPE_HTTP_PARSER_ATTACK | HTTP Parser Attack |
ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK | Request smuggling attack |
ATTACK_TYPE_FORCEFUL_BROWSING | Forceful Browsing |
ATTACK_TYPE_BRUTE_FORCE_ATTACK | Brute Force Attack |
ATTACK_TYPE_INJECTION_ATTEMPT | Injection Attempt |
ATTACK_TYPE_PARAMETER_TAMPERING | Parameter Tampering |
ATTACK_TYPE_XML_PARSER_ATTACK | XML Parser Attack |
ATTACK_TYPE_SESSION_HIJACKING | Session Hijacking |
ATTACK_TYPE_HTTP_RESPONSE_SPLITTING_ATTACK | Http response splitting attack |
ATTACK_TYPE_WEB_SCRAPING | Web scraping |
ATTACK_TYPE_DOS_ATTACK_STARTED | Dos attack started |
ATTACK_TYPE_MALICIOUS_FILE_UPLOAD | Virus upload |
Examples¶
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
foreach i $x {
log local0. "i=$i"
}
}
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
log local0. "Decided to sanitize headers"
HTTP::header sanitize
HTTP::header insert header_1 value_1
ASM::payload replace 0 0 "1234567890"
} else {
log local0. "violation=[lindex $x 0]"
log local0. "Decided to route is to different pool"
HTTP::uri /index.php
pool phpauction
}
}