Forum Discussion

imac_105647's avatar
imac_105647
Icon for Nimbostratus rankNimbostratus
Jun 30, 2011

Activity triggering a generic buffer overflow attack signature

Hello,

 

 

we have development occurring on a web application that is protected by an ASM policy we are seeing two of the generic buffer overflow attack signatures being triggered during testing so I have two questions:

 

 

Is there any way to see what an attack signature is matching against to see why it is being triggered?

 

 

Are buffer overflows triggered by some other setting (max length of string set somewhere for example)?

 

 

Any other clues about how I can troubleshoot this would be appreciated.

 

 

Ian

 

app sec
BIG-IP Access Policy Manager (APM)
security
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 30, 2011
    Hi Ian,

     

     

    Never say never :)

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/59905/showtab/groupforums/Default.aspx34783

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 30, 2011
    Also, in ~10.1 you can view the details of the full request info for the attack signature violation to (sometimes?) get a snippet of the matched string. But getting access to the full attack sig via MySQL should let you test this fully.

     

     

    Aaron
  • imac_105647's avatar
    imac_105647
    Icon for Nimbostratus rankNimbostratus
    Jul 07, 2011
    Hi Aaron,

     

     

    thanks for the info I will take a look at the MySQL and see what I can see. Not at 10 yet on the main systems so will wait for that improvement. Hope all is well with you and yours,

     

     

    Ian

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 07, 2011
    Oye... upgrade already! :) 9.4.x is going out of support and there have been *a lot* of improvements for ASM and LTM in v10. 10.2.x has been very stable and performant.

     

     

    Aaron