Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusASM Attack signatures on URL/parameter
Hi,
I am trying to figure out violation logging when both URL and parameter is involved. Tested on 13.1.0.8
Request:
Post to URL: /post1 Parameter in form (request body): parameter1 ...
nathe
Cirrocumulus
CirrocumulusPiotr,
A violation on an object that is in Staging has always been classed as Legal...perhaps not an intuitive way of doing things, but been the ASM way and something I've had to remember over the years. Essentially Staging is monitoring the object for its properties so, I suppose, ASM can't judge whether (in your case) the metacharacter is required, or in the case of a file type the query length it sees is correct, so its classed by default as Legal.
So, your initial two tests are as I would expect. And illegal meta character in value is a parameter only check, as per the Blocking Settings.
The second test is odd as there no longer appears to be an "attack signature detected" violation.
I suspect if you add the metacharacters on the parameter i.e. make them allowed, and ran the same tests the "attack signature detected" violation would occur.
Hopefully.
N