Forum Discussion
NimbostratusASM Flagging JSON Payload Base 64 encoded data as a violation
Hello
I have some policies that are accepting encrypted data which has then been encoded with Base64 and sent in a JSON document. However sometimes however this data gets rejected as an attack signature has been triggered. I would really like to leave Attack signature checking on the JSON profile but would like to find a way of filtering out just these signatures that get triggered without blocking legitimate traffic. Currently the URL is in Staging which is allowing them through but I should really enforce this at some point and at that time these violations will get blocked.
Has anyone got any suggestions on how I could achieve this. I have been looking at iRules that would unblock a request if a certain criteria is met.
James
6 Replies
Chris_GrantEmployee
What is the exact violation that is being triggered?
beefy80Chris, I am seeing Violations in a base64 payload. An example of this was that we had 'sysibm' appear as a string within the base64 data. There have been some more attack signatures being triggered but I cannot find any examples of these at this time. I have only learnt the sysibm one but the others have deleted from the suggestion and not learnt. I would guess that I am going to hit this issue with attack signatures that are looking for specific words like the example above.
Ideally I don't want to disable the filters rather unblock the request if it matches criteria. This asm is being used for a real-time rest service so once the URL is enforced I need to minimize the chance of a false positive on attack signatures.
- magnus78_287184
Cirrus
Did you find a solution for this? I got false positive in base64 encoded XML data in SOAP POSTs.
- beefy80
magnus78, I never found a solution for this and still currently disable filters as needed.
- beefy80Hi Chris did you see my comment below?
samstepCirrocumulus
looks like bug to me - please raise an issue with F5 support (support@)
