For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Aug 30, 2018

ASM - Understanding why "Attack Signature Detected" did not block the access

Env: LTM 11.5.2; Context: Web application

 

We have an ASM security policy configured and applied to a VIP; the policy is in blocking mode, not transparent; all signatures have "Enforced" = "Yes". Policy Building is off for the policy.

 

Under those circumstances, if the WAF detects an attack signature, why would it not block the request? See attached picture - in our Event Log, we have many many accesses that were allowed, but for which it noted an attack signature detected, and offers to learn it. I thought by explicitly enabling the signatures, and not being in policy building mode, it would be enforced -- no?

 

What steps can we take to ensure that all signatures are enforced in a way that blocks accesses?

 

 

Thank you.

 

application delivery
ASM Advanced WAF
enforce signature
security

4 Replies

  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Aug 30, 2018

    Does it ignore the "Block" setting if "Learn" is also yes? That seems counter-intuitive - if I say i want it blocked, i want it blocked, no ifs/ands/buts. ??

     

  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Aug 31, 2018

    Hmm ... I may have figured it out. Our screen at "Security ›› Application Security : Attack Signatures : Attack Signatures Configuration" appears as follows:

     

     

    Does that mean that all the signatures not in those two assigned signature sets will not be enforced? And to enforce them immediately (e.g. for the SQL injection set), i move the set to the list and make sure "Block" is checked? I don't want to turn off signature staging (because it would affect new signatures from updates, i would think - for which I DO want a staging interval) - once i've tested, how do I immediately move the newly added signatures from staging to "active"?

     

    thx

     

  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Aug 31, 2018

    Could you check the following ?

     

    • Go to Application Security : Attack Signatures : Attack Signatures List

    Make sure that the "Block" and "Enabled" flags of the signatures are set to "Yes".

     

    • Go to Application Security : Policy Building : Enforcement Readiness

    Make sure all signatures are enforced.