Forum Discussion
CirrusASM flagging legitimate traffic as "most likely a threat"
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.
This instructs ASM to not inspect the BODY of the request:
- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy
- click 'Create' (for New Allowed URL)
- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging
- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list
- click 'Create'.
- Apply Policy
EmployeeAttack signatures and file types are two different things. Let's try to pinpoint the cause of the block. For the file upload into Jira, what was the violation that actually caused the blocking event? If it was "illegal file type" then you can add specific types of files, including .xlsx, .docx, and .pdf to the Allowed File Types list. That will prevent blocking.
Scott123456789Thank you for the response. There are multiple violation types for a single event. The violation types are "Evasion technique detected", Failed to convert character" and "HTTP protocol compliance failed". The attack types listed are Detection Evasion, Abuse of Functionality, Cross Site Scripting (XSS), HTTP Parser Attack and Injection Attempt.
No mention of illegal file type.
