Forum Discussion

Altocumulus

3 years ago

Solved

Handle False Positive for files upload

Hi folks,

I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload.

The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature:

Signature ID 200104770

name: JSP Expression Language Expression Injection (3) (Parameter)

attack_type: ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION

matching_info: Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'."

The habit I had on ASM was to disable problematic signatures on this type of URL.

Is there a more relevant way to handle these cases on XC?

Many thanks.

Sudhir_Patamsetti
3 years ago
Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

6 Replies

Stephen_Archer
Employee
3 years ago
Hi AlsDevC.

If you look at the Security Events in the Security Dashboard and find the event that you believe to be false-positive, then click the `...` in the `Actions` column:

You have the option to `Create WAF Exclusion rule`. This will take you to the 'WAF Exclusion Rules` section of the Load-Balancer configuration, and pre-populate the configuration for you, to disable the signature on the specific URL.

Hope that helps.
AlsDevC
Altocumulus
3 years ago
Stephen,
Thanks for your quick feedback. Maybe I'm expressing myself badly. I know how to put an exception but I was hoping for another method than putting an exception for each matched signature.
BR.
- Sudhir_Patamsetti
  Ret. Employee
  3 years ago
  Can you share the "state" of those signatures , for that security event? You should find that in the information section. Ideally, these signatures should be "autosuppressed" by the "automatic attack signatures tuning" capability
AlsDevC
Altocumulus
3 years ago
I disabled "automatic attack signatures tuning" because we noticed that it lowered the level of protection against SQL Injection type attacks.
Am I to understand that this is not a good practice and that it is advisable to leave it enabled to limit the number of false positives?
- Sudhir_Patamsetti
  Ret. Employee
  3 years ago
  Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).
  
  Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model
AlsDevC
Altocumulus
3 years ago
Hi Sudhir, I re-enable the option and my file ipload works correctly, i see the request is triggered by WAF but signatures are in Autosuppressed state. It answer my initial question, thanks.
I'll open a case for SQL Injection are passing when I activate the feature.
Thanks all.