Analyzing F5 OWASP rule matches

Question

I am seeing lots of requests that match the following rules:
rule_XSS_script_tag__Parameter__AllQueryArguments_Body
rule_div_tag__behavior__Parameter__AllQueryArguments_Body
rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body
rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body

How can I determine why the requests are matching?

#F5 rules for AWS WAF

jrahm · Answer

Do you have source documentation for what you're referencing? Any details will be helpful, I'll see if I can track this down for you internally.

tboemker · Answer

These rules are part of the F5 OWASP managed rule set. That's all the documentation I have.

jrahm · Answer

URL for the product? Want to make sure we're looking at the same thing. Don't have much exposure to the aws waf f5 rules.

tboemker · Answer

https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi

jrahm · Answer

And you've setup the steps on pages 12-15 in the getting started guide: https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf?

I'm asking around internally, will let you know what I find.

Forum Discussion

Analyzing F5 OWASP rule matches

Recent Discussions

Problem with lets encrypt and redirect after update

Should config via cli rather than gui?

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

question about getting hsl data to be formatted properly in splunk

iRule for client certificate verification and inserting CN

Related Content

OWASP Resources for Security Education and Training

OWASP Tactical Access Defense Series: How BIG-IP APM Strengthens Defenses Against OWASP Top 10

Introduction to OWASP API Security Top 10 2023

OWASP Automated Threats - OAT-001 Carding

OWASP Automated Threats - OAT-005 Scalping

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS