Forum Discussion

beefy80's avatar
beefy80
Icon for Nimbostratus rankNimbostratus
Jun 17, 2016

ASM Flagging JSON Payload Base 64 encoded data as a violation

Hello

 

I have some policies that are accepting encrypted data which has then been encoded with Base64 and sent in a JSON document. However sometimes however this data gets rejected as an attack signature has been triggered. I would really like to leave Attack signature checking on the JSON profile but would like to find a way of filtering out just these signatures that get triggered without blocking legitimate traffic. Currently the URL is in Staging which is allowing them through but I should really enforce this at some point and at that time these violations will get blocked.

 

Has anyone got any suggestions on how I could achieve this. I have been looking at iRules that would unblock a request if a certain criteria is met.

 

James

 

  • looks like bug to me - please raise an issue with F5 support (support@)

     

  • Chris, I am seeing Violations in a base64 payload. An example of this was that we had 'sysibm' appear as a string within the base64 data. There have been some more attack signatures being triggered but I cannot find any examples of these at this time. I have only learnt the sysibm one but the others have deleted from the suggestion and not learnt. I would guess that I am going to hit this issue with attack signatures that are looking for specific words like the example above.

     

    Ideally I don't want to disable the filters rather unblock the request if it matches criteria. This asm is being used for a real-time rest service so once the URL is enforced I need to minimize the chance of a false positive on attack signatures.

     

    • beefy80's avatar
      beefy80
      Icon for Nimbostratus rankNimbostratus

      magnus78, I never found a solution for this and still currently disable filters as needed.

       

    • Did you find a solution for this? I got false positive in base64 encoded XML data in SOAP POSTs.