JSESSIONID 10002lBNXPR_Jbi4oCjxehcclRZ:1dmii9ro4 100034eQfpxxxHlMxC9DQnU3jJh:1dfvt9oj5 ...... 700 count Severity = Error or Critical Below is the sample event: unit_hostname="GBWDC142AD011NHA....
See more...
JSESSIONID 10002lBNXPR_Jbi4oCjxehcclRZ:1dmii9ro4 100034eQfpxxxHlMxC9DQnU3jJh:1dfvt9oj5 ...... 700 count Severity = Error or Critical Below is the sample event: unit_hostname="GBWDC142AD011NHA.systems.uk.fed" support_id="5949818439961942897" vs_name="/f5-tenant-01/DARWIN-GBM-UK-UAT/v-darwin-uat.systems.uk.fed-44" policy_name="/Common/waf-fed-transparent" dest_ip="10.146.97.3" dest_port="443" violations="HTTP protocol compliance failed" sub_violations="HTTP protocol compliance failed:Body in GET or HEAD requests" violation_rating="3" attack_type="HTTP Parser Attack" severity="Error" ####### HTTP REQUEST BEGIN ####### "GET /ICMClient/icm/action/actions.json HTTP/1.1 Host: rwin-uat.systems.uk.fed Connection: keep-alive sec-ch-ua-platform: ""Windows"" X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0 sec-ch-ua: ""Microsoft Edge"";v=""131"", ""Chromium"";v=""131"", ""Not_A Brand"";v=""24"" DNT: 1 Content-Type: application/x-www-form-urlencoded sec-ch-ua-mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://darwin-uat.systems.uk.fed/navigator/?desktop=icmUat&feature=Cases&tos=UKUAT_CMTOS2&solution=DWN Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: adUsername=DNc5oBu9KkG0Z9WbdY0YMA; AMToken=W8s9fXK-BZFJwOfUKvHnc1QOiwE.*AAJTSQACMDIAAlNLABxzTGUweUUvUzRRRjZFdDl3Nk8rTlBxbkM4K2s9AAR0eXBlAANDVFMAAlMxAAIwMQ..*; amlbcookie=01; LtpaToken2=tv+zAqV7lpFPFUr8gCWRTnBa+2n6YAaVE4EmZFMyoUQ3KRFFXKYEweRr0q4QwD5aZEb/x9SlmFrQghiQ7ouuQbCJ3wUJ7MTBQvc8O85Q9NQ5IzaJdXNfbSiVsTTJqsww0qprVDSERq+mlE28ZRDuxECH7oD/QpIZoAH5Blk0gNRIfPFOa0e11Ld9CHxwJDtNt3OyqcH0qrKW3b+ieB4mWh+u65GCOyy7EdWhRW6Cryybq/8R7Z6axHE5Gk/8q3PDBxrw/iTvZdB5UXY32wGB8DfYGR4/wc2MsbW5J4MGK8MnYJya/cLzvUJE5clEEmf3P2ef3n0m1lPXC4HartFMo7f/HA2fN0YM78kNLHx78z6EkBnOWI6kUq+EeC+Uz0RsfwoCipLRqdCrhgEofL1wQve9tIHuOrF9sRG62lfmLl67vrYBJDAaDvRE1yC+xLUQfcTfc0bHDxYE2Q9op/DWY6IBOpeZRi4Hmw2nd9R7HzpDB1Jy3HAJPdhEp2bATfPsD2lKYTOCpCcJKGZ3/XEMreEwm970Tz04UZSZ/8MQ86Au+7yVB0WXF+ypFYhXWCWznQfjbdWfKL5u1gxake41N0GdM95XLqydb2JxGQr/V00yqAgu6yh5BNMhhf33rx/I9RxO4jwj/2M3tGjrD0+v5tgVkHVhBA3w7grur118FnAJ7s57A3lDtPjLFjs2w4gZ; JSESSIONID=0000k4OMOHFe-x8tp-F0TmQxoBN:1dmii9ro4; TS01492bb9=0111266d7745aebde115d8e1c57860aa8fb4d2d0645896fc5a6ed9865e53e7eed30bd3d6f3092e028ebe7f89753f63d3e54b8d8646 " ####### HTTP REQUEST END ####### ####### HTTP RESPONSE BEGIN ####### "Response logging disabled" ####### HTTP RESPONSE END ####### response_is_truncated="" ip_client="10.227.31.83" x_forwarded_for_header_value="N/A" method="GET" uri="/ICMClient/icm/action/actions.json" microservice="N/A" query_string="N/A" response_code="200" sig_cves="N/A" sig_ids="N/A" sig_names={N/A} sig_set_names="N/A" staged_sig_cves="N/A" staged_sig_ids="N/A" staged_sig_names="N/A" staged_sig_set_names="N/A" violation_details="<?xml version='1.0' encoding='UTF-8'?> <BAD_MSG> <violation_masks> <block>0-0-0-0</block> <alarm>2400500004500-106200000003e-0-0</alarm> <learn>0-0-0-0</learn> <staging>0-0-0-0</staging> </violation_masks> <request-violations> <violation> <viol_index>14</viol_index> <viol_name>VIOL_HTTP_PROTOCOL</viol_name> <http_sanity_checks_status>64</http_sanity_checks_status> <http_sub_violation_status>64</http_sub_violation_status> <http_sub_violation>Q29udGVudC1UeXBlIGhlYWRlciBpbiBHRVQgcmVxdWVzdA==</http_sub_violation> </violation> </request-violations> </BAD_MSG>"