Bug ID 631737: ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1

Opened: Dec 04, 2016
Severity: 3-Major
Related AskF5 Article:
K61367823

Symptoms

ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Impact

When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Conditions

This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows: -- HTTP Protocol Compliance/ High ASCII characters in headers. -- HTTP Protocol Compliance/ Host header contains IP address. -- HTTP Protocol Compliance/ CRLF characters before request start. -- HTTP Protocol Compliance/ Header without header value. -- HTTP Protocol Compliance/ Body in GET/HEAD requests. -- Evasion technique/ directories traversals.

Workaround

None.

Fix Information

Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

Behavior Change