WAF Learning Mode doesn't learn after downgrading from 11.0 to 10.5
Article ID: CTX219673
Updated On:
Description
After downgrading the firmware from 11.0 to 10.5. It worked in the version 10.5 and 11.0, however, it doesn't work now after downgrade to 10.5. We had enabled the learning on the profiles on SQL injection, but nothing learned. However, we did some SQL injection to trigger the WAF and we can see that it triggered and has the logs.
Resolution
1) Ran –aux | grep –I aslearn and tried killing the aslearn process however it did not make a difference
2) Aslearn.log show the following errors:
Running in VMPE mode
errno = 275
No DB's open yet
File:/var/nslog/asl/stores.db, auto_vacuum failed errMsg:database disk image is malformed
File:/var/nslog/asl/stores.db, Failed SQL query:CREATE TABLE t1 (violation_id INTEGER NOT NULL, url TEXT NOT NULL COLLATE NOCASE, field TEXT NOT NULL COLLATE NOCASE, field_type TEXT NOT NULL COLLATE NOCASE, min_value INTEGER, max_value INTEGER, count_value INTEGER); errMsg:database disk image is malformed
database disk image is malformed
Failed to insert query:INSERT OR REPLACE INTO t1 VALUES (260,'http://','https://xyz.com','',0,0, COALESCE((SELECT count_value FROM t1 WHERE violation_id=260 AND url='http://' AND field='https://xyz.com' AND field_type = ''), 0) + 1); errMsg:database disk image is malformed
No db_info for /var/nslog/asl/moodle.db
Failed to insert query:INSERT OR REPLACE INTO t1 VALUES (261,'https://xyz.com','actions[0][drafttext]','Field',0,0, COALESCE((SELECT count_value FROM t1 WHERE violation_id=261 AND url='https://xyz.com' AND field='actions[0][drafttext]' AND field_type = 'Field'), 0) + 1); errMsg:table t1 has 10 columns but 7 values were supplied
3)Looking at these logs for APPFW DB, for table t1 which is used to store learned rules. Looks like it has become malformed.
Failed SQL query:CREATE TABLE t1 (violation_id INTEGER NOT NULL, url TEXT NOT NULL COLLATE NOCASE, field TEXT NOT NULL COLLATE NOCASE, field_type TEXT NOT NULL COLLATE NOCASE, min_value INTEGER, max_value INTEGER, count_value INTEGER); errMsg:database disk image is malformed
Failed to insert query:INSERT OR REPLACE INTO t1 VALUES (260,'https://xyz.com','',0,0, COALESCE((SELECT count_value FROM t1 WHERE violation_id=260 AND url='http://' AND field='https://xyz.com' AND field_type = ''), 0) + 1); errMsg:database disk image is malformed
4)Tried to unbind the policy and rebinding it however it did not make a differece
5)We do not support downgrade of aslearn data as schema of later release would be incompatible with the earlier release.
That proves schema_version for our db has changed after the upgrade to 11.0, and now cannot be downgraded to schema_version of 10.x. Even after downgrade to 10.5.
root@NS-11# sqlite3 www.db << DB from Customers Device >>
SQLite version 3.8.11.1 2015-07-29 20:00:57
Enter ".help" for usage hints.
sqlite> .header on
sqlite> .mode column
sqlite> select * from schema_version;
current_schema_version
----------------------
1.3.2
And from my LAB NS running 11.0 it is the same as 1.3.2.
root@NS-11# sqlite3 test.db
SQLite version 3.8.11.1 2015-07-29 20:00:57
Enter ".help" for usage hints.
sqlite> .mode column
sqlite> .header on
sqlite> select * from schema_version;
current_schema_version
----------------------
1.3.2
Difference is here, Looking at this Table t1 from 10.5 from LAB NS.
10.5 (we can see there are 7 columns here on 10.5 are less than no of columns on 11.0).
root@Primary# sqlite3 test-sql.db
SQLite version 3.7.9 2011-11-01 00:52:41
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .header on
sqlite> .mode column
sqlite> select * from t1;
violation_id url field field_type min_value max_value count_value
11.0 Here we’ve few more columns added in the schema (id, value_expr/ value_type total of 10 columns)
sqlite> select * from t1;
id violation_id url field field_type value_expr value_type min_value max_value count_value
That’s why we see this error message after from aslearn.log after downgrade to 10.5, and cannot insert new learnt data into the DB now , as DB expects value’s in 10 columns but we try to insert only 7 value’s.
Solution:
The only option customer has it to delete this Profile and add a new Profile and start the Learning all over again.
Problem Cause
We do not support downgrade of aslearn data as schema of later release would be incompatible with the earlier release.