Forum Discussion
AlsDevC
Altocumulus
AltocumulusHandle False Positive for files upload
Hi folks,
I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload.
The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature:
Signature ID 200104770
name: JSP Expression Language Expression Injection (3) (Parameter)
attack_type: ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION
matching_info: Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'."
The habit I had on ASM was to disable problematic signatures on this type of URL.
Is there a more relevant way to handle these cases on XC?
Many thanks.
Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).
Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model
- Stephen_Archer
Employee
Hi AlsDevC.
If you look at the Security Events in the Security Dashboard and find the event that you believe to be false-positive, then click the `...` in the `Actions` column:You have the option to `Create WAF Exclusion rule`. This will take you to the 'WAF Exclusion Rules` section of the Load-Balancer configuration, and pre-populate the configuration for you, to disable the signature on the specific URL.
Hope that helps.
AlsDevCStephen,
Thanks for your quick feedback. Maybe I'm expressing myself badly. I know how to put an exception but I was hoping for another method than putting an exception for each matched signature.
BR.
Sudhir_PatamsettiCan you share the "state" of those signatures , for that security event? You should find that in the information section. Ideally, these signatures should be "autosuppressed" by the "automatic attack signatures tuning" capability
- AlsDevC
I disabled "automatic attack signatures tuning" because we noticed that it lowered the level of protection against SQL Injection type attacks.
Am I to understand that this is not a good practice and that it is advisable to leave it enabled to limit the number of false positives?- Sudhir_Patamsetti
Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).
Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model
- AlsDevC
Hi Sudhir, I re-enable the option and my file ipload works correctly, i see the request is triggered by WAF but signatures are in Autosuppressed state. It answer my initial question, thanks.
I'll open a case for SQL Injection are passing when I activate the feature.Thanks all.
