QRadar XDR

 View Only
  • 1.  Problem in the parse with WAF payloads

    Posted 7 days ago
    Hello,

    I have a problem with parsing a payload from a WAF F5.

    I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

    This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

    Please someone knows about this or can give me some advice on my case.

    Thanks

    ------------------------------
    cristian librero
    ------------------------------


  • 2.  RE: Problem in the parse with WAF payloads

    Posted 7 days ago

    try

    "System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32,000 bytes.
    default is 4,096, which seems like is truncating your log.




    ------------------------------
    Ditmar Tavares
    ------------------------------



  • 3.  RE: Problem in the parse with WAF payloads

    Posted 2 days ago
    Hi community,

    The problem was because of the WAF F5, I assigned the maximum data input for the default value and it was too small. The payloads were too large and so were cut off.

    Thanks.

    ------------------------------
    cristian librero
    ------------------------------