Last Modified: Nov 07, 2022
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2
13.0.0, 12.1.2 HF1
Opened: Dec 04, 2016 Severity: 3-Major Related Article:
Related Article: K61367823
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows: -- HTTP Protocol Compliance/ High ASCII characters in headers. -- HTTP Protocol Compliance/ Host header contains IP address. -- HTTP Protocol Compliance/ CRLF characters before request start. -- HTTP Protocol Compliance/ Header without header value. -- HTTP Protocol Compliance/ Body in GET/HEAD requests. -- Evasion technique/ directories traversals.
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.