IBM QRadar

Hello,

I have a problem with parsing a payload from a WAF F5.

I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

Please someone knows about this or can give me some advice on my case.

Thanks

------------------------------
cristian librero
------------------------------

try

"System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32,000 bytes.
default is 4,096, which seems like is truncating your log.




------------------------------
Ditmar Tavares
------------------------------

Original Message:
Sent: Fri January 14, 2022 08:31 AM
From: cristian librero
Subject: Problem in the parse with WAF payloads

Hello,

I have a problem with parsing a payload from a WAF F5.

I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

Please someone knows about this or can give me some advice on my case.

Thanks

------------------------------
cristian librero
------------------------------

Thanks. It is very helpful

------------------------------
webaffiliatevn.com
------------------------------

Original Message:
Sent: Fri January 14, 2022 08:53 AM
From: Ditmar Tavares
Subject: Problem in the parse with WAF payloads


try

"System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32,000 bytes.
default is 4,096, which seems like is truncating your log.




------------------------------
Ditmar Tavares

Original Message:
Sent: Fri January 14, 2022 08:31 AM
From: cristian librero
Subject: Problem in the parse with WAF payloads

Hello,

I have a problem with parsing a payload from a WAF F5.

I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

Please someone knows about this or can give me some advice on my case.

Thanks

------------------------------
cristian librero
------------------------------

Hi community,

The problem was because of the WAF F5, I assigned the maximum data input for the default value and it was too small. The payloads were too large and so were cut off.

Thanks.

------------------------------
cristian librero
------------------------------

Original Message:
Sent: Fri January 14, 2022 08:31 AM
From: cristian librero
Subject: Problem in the parse with WAF payloads

Hello,

I have a problem with parsing a payload from a WAF F5.

I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

Please someone knows about this or can give me some advice on my case.

Thanks

------------------------------
cristian librero
------------------------------