Forum Discussion
CirrusASM flagging legitimate traffic as "most likely a threat"
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.
This instructs ASM to not inspect the BODY of the request:
- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy
- click 'Create' (for New Allowed URL)
- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging
- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list
- click 'Create'.
- Apply Policy
EmployeeOK, let's back up for a second. Are there any entries on the Traffic Learning page? If not, it's because the "Learn" checkbox is not selected (for each violation) on the learning and blocking settings page. Try clearing the request log and recreating the event which caused the block. Most likely, the event that is causing it is a false positive violation--legit traffic that is getting blocked. It's unlikely that 144 evasion techniques and 161 instances of character conversion failures are real attacks all coming from the same request.
The three violation types you show don't immediately seem related to file upload, so let's focus on those first. Worst case, you can uncheck the "block" checkbox for each one (Security >> Application Security : Policy Building : Learning and Blocking Settings) which will allow traffic to pass until you nail down the cause.
Scott123456789There are two entries in the traffic learning page but they are not the same violation (they are both sql injection violations). I do have learn checked for all the ones I have block checked, so I just must not have checked the learning when the users did this in the past.
I went ahead and turned the blocking off for those three violation types and asked the user to recreate the situation. I'll let you know how that goes.
- Scott123456789
I went into the policy learning and blocking settings, opened the blocking settings to the right of "Policy Building Settings", unchecked the block box for the three violation types. I left Learn and Alarm checked next to the three violation types. Saved the settings, saved the policy, applied the policy. User still gets blocked and nothing shows up under learning.
