Bug ID 631737: ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
13.0.0, 12.1.2 HF1

Opened: Dec 04, 2016

Severity: 3-Major

Related Article: K61367823


ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.


When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)


This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows: -- HTTP Protocol Compliance/ High ASCII characters in headers. -- HTTP Protocol Compliance/ Host header contains IP address. -- HTTP Protocol Compliance/ CRLF characters before request start. -- HTTP Protocol Compliance/ Header without header value. -- HTTP Protocol Compliance/ Body in GET/HEAD requests. -- Evasion technique/ directories traversals.



Fix Information

Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips