Message Image

Skip main navigation (Press Enter).

QRadar XDR

View Only

Expand all | Collapse all

Problem in the parse with WAF payloads

cristian librero7 days ago

Hello, I have a problem with parsing a payload from a WAF F5. I have a DLC implemented, my problem...

Ditmar Tavares7 days ago

try "System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32...

cristian librero2 days ago

Hi community, The problem was because of the WAF F5, I assigned the maximum data input for the def...

1. Problem in the parse with WAF payloads

0 Recommend
cristian librero
Posted 7 days ago

Reply Reply Privately
Hello,

I have a problem with parsing a payload from a WAF F5.

I have a DLC implemented, my problem is that I send the data to the DLC by TCP protocol, but when I check it at DLC level, with a tcpdump and with wireshark, these are always cut at the same size 2093 bytes.

This doesn't make sense to me because in the Qradar configuration I have a bigger size for TCP connections.

Please someone knows about this or can give me some advice on my case.

Thanks

------------------------------
cristian librero
------------------------------
2. RE: Problem in the parse with WAF payloads

0 Recommend
Ditmar Tavares
Posted 7 days ago

Reply Reply Privately
try

"System Settings" -> "Advanced" ->, increase the "Max TCP Syslog Payload Length" to 32,000 bytes.
default is 4,096, which seems like is truncating your log.

------------------------------
Ditmar Tavares
------------------------------

Original Message
3. RE: Problem in the parse with WAF payloads

0 Recommend
cristian librero
Posted 2 days ago

Reply Reply Privately
Hi community,

The problem was because of the WAF F5, I assigned the maximum data input for the default value and it was too small. The payloads were too large and so were cut off.

Thanks.

------------------------------
cristian librero
------------------------------

Original Message

Powered by Higher Logic