Forum Discussion

erol_dogan_1164's avatar
erol_dogan_1164
Icon for Nimbostratus rankNimbostratus
Nov 10, 2013

ASM detecting but not blocking the attack

Hello all,

 

I am using ASM and a Apache Tomcat based web application behind it. I am testing negative security accuracy of the ASM and realized that it is not blocking the attacks even it detects that the request is violating the attack signature.

 

The security policy is configured in blocking and manual mode. The signature staging is disabled with all available signatures included to the policy.

 

The issue is once the attack (for example SQL injection) is launched ASM is detecting that the request matches the attack signature and showing it on the Manual Traffic Learning -> Attack signatures detected page. When you go one step further and check the details of the incidents listed under this page you see that ASM is considering the request as legal!

 

No logs are available under Event Logs tab.

 

It will be highly appreciated if anyone explains this behaviour. Is it expected or sth like a bug?

 

  • Hey Guys, I'm currently dealing with the same behaviour. I'm running 11.4 and staging is disabled. I am trying to lock down an ASM policy so that only certain URLs are made public. I do see the URLs being registered as illegal in event logging, but we are still able to access them through the device. This is happening in my manual, and automatic policies. In the uatomatic policy, I see that access to these URLs ends up in the "violations on URLs" category. Since illegal URL isn't really a signature, I should be able to simply block this by adding it to the disallowed URL category, right?

     

  • Hello Math,

     

    I noticed that it is the case exactly what you advise. Thank you :)

     

    When I checked the parameter (actually it is wildcard) referring the attack, it was by default in staging mode. When I disabled the staging, system started to block the violations.

     

    Regards

     

    Erol

     

    • Ahmad_Faiz_1405's avatar
      Ahmad_Faiz_1405
      Icon for Nimbostratus rankNimbostratus
      Hi Erol, Same environment happened to me which all testing made for SQL Injection will go learned under Manual Traffic Learning -> Attack signatures detected page and not appeared in Event Logs. Tried to disable a staging mode on wildcard parameter but still no luck. Beside that, I also include and enable all SQL Injection signature to Security ›› Application Security : Parameters : Parameters List ›› Parameter Properties ›› Attack Signatures. Any way you can advice is there any additional setting need to be made to start blocking the violations and appear in event logs. Looking forward to hear from you on how you solve this issues :) Rgds, Faiz
  • Hi,

     

    You need to check all entities referring this attack. If you try an SQL injection on a parameter, you need to check "this" parameter or the wildcard. Staging (tightening as well on < 11.3) mode must be disabled.

     

    If ASM sees the attack, that means signature works. Check where attacks occurs (parameter ...) and you will block it. I used to seeing this behavior when global staging is not finished --> mainly on parameters.

     

    Let us know. Matt