IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Problem in the parse with WAF payloads

    Posted Fri January 14, 2022 08:31 AM
    Hello,

    I have a problem with parsing a payload from a WAF F5.

    I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

    This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

    Please someone knows about this or can give me some advice on my case.

    Thanks

    ------------------------------
    cristian librero
    ------------------------------


  • 2.  RE: Problem in the parse with WAF payloads

    Posted Fri January 14, 2022 08:53 AM

    try

    "System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32,000 bytes.
    default is 4,096, which seems like is truncating your log.




    ------------------------------
    Ditmar Tavares
    ------------------------------



  • 3.  RE: Problem in the parse with WAF payloads

    Posted Fri January 28, 2022 03:07 PM
    Thanks. It is very helpful

    ------------------------------
    webaffiliatevn.com
    ------------------------------



  • 4.  RE: Problem in the parse with WAF payloads

    Posted Wed January 19, 2022 01:01 PM
    Hi community,

    The problem was because of the WAF F5, I assigned the maximum data input for the default value and it was too small. The payloads were too large and so were cut off.

    Thanks.

    ------------------------------
    cristian librero
    ------------------------------