ASM Flow Order

I have been playing and testing attacks on our environment through ASM. Let's say path traversal attacks are being tested. For instance, there are three variants of the same attack category. Variant 1 and 2 are being block by Attack Signature called Path Traversal Signatures. But 3rd variant is being blocked by Predictable Resource Location Signature (attack itself tries to reach those resources such as boot.ini). Inside the arguments of the attacks, there is not much different but little changes. We need to mitigate those attack to pinpoint solutions. That is why I need to see for variant 3 to also trigger Path Traversal Signature. FYI this is just an example, same situation happens for XSS, Command Execution or Data Exposure attacks.

 

The thing is, for the variant 3 which triggered resource location signature also Evasion Detection config is triggered (like in the ASM policy config). To sum up, variant 3 attack, triggered resource location signature and ASM policy "Evasion technique detected" config (multiple decoding, directory traversals etc.) The other two variants also triggered those configs in addition to "correct attack signature".

 

The question in our minds is why variant 3 triggered Resource Signature instead of Path Traversal Signature or why the other two triggered the "correct signature". Why I'm asking this is that, I need to catch the correct attack technique, because by using that technique someone else might access something entirely different. So the technique itself has to be caught. And to understand this completely, I thought we need to understand the ASM flow. If something else comes to your mind, please elaborate on the topic. Maybe our approach needs tuning, your suggestions will be highly appreciated. Thank you in advance.

 

Maybe this could help -> https://support.f5.com/csp/article/K17036

 

KR, Dario.