Blocked and failed requests

Displays requests for resources for the selected proxy that were blocked by Web Security Manager. HTTP headers, URL, parameters and values (if any) that were blocked in the request are highlighted in red color.

Also failed requests are shown in the deny log allowing for identifying broken internal and external links and broken robots not abiding the 404 not found message.

Total number of log entries matching the current filter criteria (if specified) is displayed as Query returned #number records. If the total number of records is larger then the Entries per page

selection, use navigation arrows to navigate the log record back and forth. Details are expandable: Click details icon in the rightmost column to expand.

Mark log entry for adding to the access policy.

Checkbox

To allow further requests based on the information in the selected log entry/entries, select them and click on the Add selected to ACL button.

Note: parameters that are defined as regexp in web applications and

global policy are not automatically updated to allow new values based on the input from the logged requests. In this case, values need to be updated manually.

If adding is not possible the checkbox is inactive. Date and time the request was logged.

Time

Country the requests originated from.

Country

Hostname from the original request or none if none was present.

Host

Risk classification of the log entry. Options are:

Risk • Critical • High • Medium • Low • None

Source IP the request originated from.

Source IP

Click on IP-address to get whois information. Attack classification of the log entry. Options are:

Class

• SQL injection • XPath injection • SSI injection • OS commanding

• XSS (Cross Site Scripting) • Path traversal • Enumeration • Format string • Buffer overflow • DoS attempt • Worm probe • Access violation • Malformed request • HTML tags • Session invalid

• XSRF (Cross Site Request Forgery) • Session expired

• Detection evasion • Remote file inclusion • Information leak

• Backend error • Broken robot • Broken int. link • Broken ext. link • Other

• None

• False positive • Friendly

Block action taken on the request. Options are:

Action

Allow

The request was allowed, either because the current mode and white list configuration or because the requests was allowed accord- ing to policy. If the request was allowed by policy the reason for the request being logged in the deny log is typically that the backend server responded with an error. Expand the request to see details. Block

The request was blocked by Web Security Manager. Block-IP

The request was blocked by Web Security Manager and the source IP was blacklisted resulting in further requests from that source being blocked at the network level.

Strip

The offending part of the request was stripped before allowing the request. Used for instance to remove session cookies for expired sessions.

The URL path requested.

URL Path

Offending method (if any)

Method

Detail - click details to view.

Shows the general violation description as defined by Web Security Manager.

Violation

Detail - click details to

view. See the list of violations below

If applicable shows the response status from the backend server like

404 not found or 200 (OK).

Resp. status

Detail - click details to view.

The time from Web Security Manager received the request and forwarded it to the backend server until the response is sent to the client from Web Security Manager.

Resp. time

Detail - click details to view.

The refering source, internal or external, from which the request origin- ated.

Referer

Detail - click details to view.

Offending header fields and values (if any).

Header

Detail - click details to view.

Offending parameter names and values (if any).

Query

Detail - click details to view.

Shows the original request as send by the client. To view it, click on the

View RAW request button.

Raw

Detail - click details to view.

To view all entries in the list expanded click the Report button in the lower button bar.

Note

In order not to lock the management interface by returning huge amounts of data a max- imum of 500 log entries at a time will be displayed in the interactive log interface.

Use the XML export function to download larger lists (or the complete log) for off line analysis and archival purposes.

4.1.2.1. Violations Content violations

No policy rules allow the path segment of the URL, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature.

Path unknown

The path is explicitly denied by an URL blocking policy rule.

Path denied

No positive policy rules match the name of the request parameter.

Query unknown

No policy rules allow the value of the request parameter, either because it does not match a positive policy rule or because it matches a negative policy rule - a signature.

Query illegal

The request session ID is not valid, either because the session token has been tampered with or hijacked.

Session validation failed

The form submitted cannot be verified as having been issued by the web application in a response to a request from the current user session. This is an indication of a CSRF attack.

Form validation failed

The request session has exceeded the idle expiration threshold con- figured in Web Security Manager for the web application.

Session expired

Submitted XML request is malformed and hence cannot be parsed and validated.

Malformed XML

The request contains elements that are encoded more than twice or it contains elements that are encoded using %u-encoding.

Multiple or %u en- coded request

User is not authorized to access requested resource.

Authorization failed

Request header not RFC 2616 compliant.

Header unknown

Header value failed strict validation.

Header illegal

Header value failed pragmatic validation.

Header validation failed

Server response contains illegal string.

Output illegal

Protocol violations

Protocol violations like missing content length or content type headers for POST requests.

Generic protocol viol- ation

HTTP protocol version not allowed.

HTTP Protocol ver- sion

HTTP method not allowed.

Method illegal

Request does not specify host name.

Missing hostname

Not website proxy is configured for the requested host name.

Invalid hostname

Entire request line (URI?query) exceeds allowed maximum length.

Request line maxim- um length

Request path exceeds allowed maximum length.

Request path maxim- um length

Request query exceeds allowed maximum length.

Query string maxim- um length

Request content type is supported but not enabled.

Content type not en- abled

Header name exceeds allowed maximum length.

Header name length

Header value exceeds allowed maximum length.

Header value length

Header number exceeds allowed maximum.

Maximum number of headers

Upload attempted but upload not allowed.

Upload attempt

POST payload exceeds allowed maximum size.

Payload length ex- ceeded

Number of files to upload in a request exceeds allowed maximum.

Maximum number of upload files

Total size of upload files in request exceeds allowed maximum.

Total upload size

Size of a single upload file exceeds allowed maximum.

Maximum file size

Request cookie version not allowed.

Cookie version not allowed

Number of cookies in request exceeds allowed maximum.

Maximum number of cookies

Name of a cookie exceeds allowed maximum length.

Cookie name length

Value of a cookie exceeds allowed maximum length.

GET parameter number exceeds allowed maximum.

Maximum number of GET parameters

GET parameter name exceeds allowed maximum length.

GET parameter name length

GET parameter value exceeds allowed maximum length.

GET parameter value length

Combined length of GET parameter name and value exceeds allowed maximum length.

GET parameter com- bined length

POST parameter number exceeds allowed maximum.

Maximum number of POST parameters

POST parameter name exceeds allowed maximum length.

POST parameter name length

POST parameter value exceeds allowed maximum length.

POST parameter value length

Combined length of POST parameter name and value exceeds allowed maximum length.

POST parameter combined length

Other generic violations.

General request viol- ation

4.1.3. Lower button bar

The lower button bar contains the following buttons. Use with caution!

Flush log

Button When clicking this button and accepting the confirm pop-up window. All log data for that proxy will be deleted!

Generate a printable report based on defined filter criteria (if any).

Log report

Button

Adds selected log records to access policy.

Add selected to ACL

Button

In document Administration Manual. Web Security Manager 4.2 (Page 170-175)