Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jul 02, 2018

ASM Attack signatures on URL/parameter

Hi,

 

I am trying to figure out violation logging when both URL and parameter is involved. Tested on 13.1.0.8

 

Request:

 

  • Post to URL: /post1
  • Parameter in form (request body): parameter1
  • Policy in Transparent
  • Parameters on URL level
  • Encoded XSS string in parameter1

Depending on staging setting results are like that:

 

  • URL staging: Disabled
  • Parameter staging: Enabled
  • Request reported in Event log:
    • Status: Legal
    • Violation rating: 4
    • Violations detected: Illegal meta character in value, Attack signature detected

And second setting:

 

  • URL staging: Enabled
  • Parameter staging: Disabled
  • Request reported in Event log:
    • Status: Illegal
    • Violation rating: 4
    • Violations detected: Illegal meta character in value, Attack signature detected

Above suggest that violation detection is only performed on parameters.

 

Still it is a bit misleading that for first staging setup violation is detected in exactly the same way as for second but request is reported as Legal.

 

Now Attack signature settings changed (both URL and parameter with staging disabled)

 

  • Check attack signatures on this URL: Disabled
  • Check attack signatures on this parameter: Enabled
  • Request reported in Event log:
    • Status: Illegal
    • Violation detected: Illegal meta character in value

And second setting:

 

  • Check attack signatures on this URL: Enabled
  • Check attack signatures on this parameter: Disabled
  • Request reported in Event log:
    • Status: Illegal
    • Violation detected: Illegal meta character in value

From previous test it looked like only parameter signatures cause request to be reported as Illegal, but from above it seems that Attack signatures has to be checked on both URL and parameter to trigger Attack signature detected.

 

Results are quite confusing here.

 

I would expect results like that:

 

  • No matter if staging is disabled both request should be listed as Illegal
  • If only parameter Attack signatures are causing request to be Illegal then disabling Attack signatures on URL should still trigger Attack signatures violation.

How Event Log entry for request with:

 

  • Status: Legal
  • Violation rating: 4

should be interpreted in compare to one where status is Illegal?

 

Piotr

 

No RepliesBe the first to reply