Forum Discussion
CirrusASM flagging legitimate traffic as "most likely a threat"
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.
This instructs ASM to not inspect the BODY of the request:
- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy
- click 'Create' (for New Allowed URL)
- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging
- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list
- click 'Create'.
- Apply Policy
EmployeeAre you able to discern which violation resulted in the blocking event? Check if your attack signatures are in staging--if they are, staged signatures can be ruled out in terms of causing the block.
CirrusMaybe that's what I don't know how to do. Every other block I've dealt with up until now has been just one violation type, and only one occurrence of it. In this case, I have the three violation types and hundreds of occurrences in the same event. I have no idea how to proceed from there. Sorry to sound like its my first day...
