Forum Discussion
ASM not blocking
Hi all- I've been out of the loop using F5 for a couple of years and just coming back to it. I'm having a problem with ASM/AWAF working properly.
I have a virtual server pointing to a single node running Apache. When I hit the virtual IP that works fine. I've attached an ASM/AWAF security policy to that server.
Enforcement mode = Blocking
Policy Building Learning mode = Manual
I've included every attack signature group to the policy and moved all signatures out of staging to Enforced. I'm trying to get any signature to fire at this point. Any easy one should be to trigger 200010468 ("/etc/passwd" access URI) or 200010156 ("passwd.txt" access). When requesting either URI, ASM is allowing the requests through. Looking at the log for one of the requests, I can see that it does trigger the /etc/passwd signature, but apparently is still in staging:
Decoded Request
Request actual size: 85 bytes
GET /etc/passwd HTTP/1.1 Host: 192.168.5.5 User-Agent: curl/7.64.0 Accept: */*
Response
Response logging was disabled
Violation Details
Attack signature detected [2]
Detected Keyword | /etc/passwd |
Attack Signature | "/etc/passwd" access (URI) |
Context | URL |
Actual URL | /etc/passwd |
Wildcard URL | * - Staging |
Applied Blocking Settings | Staging |
Am I missing a setting somewhere? This is the status for that particular signature in my security policy:
"/etc/passwd" access (URI) 200010468 Enforced
- zamroni777Nacreous
is signature staging enabled?
- amine-elhijaziAltocumulus
Hello ,
I belive it's not blocking because , in the list of the urls , you have a wild card url : * , and this wildcard is on staging .
So to block ( special charachter , method , or attack signature in the context ) in the context , it should not be on staging .
the same as well for parameters ,
Please let me know if it's something else ^^regards ,
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com