Forum Discussion

ianhayes's avatar
ianhayes
Icon for Nimbostratus rankNimbostratus
Jul 31, 2024

ASM not blocking

Hi all- I've been out of the loop using F5 for a couple of years and just coming back to it. I'm having a problem with ASM/AWAF working properly.

I have a virtual server pointing to a single node running Apache. When I hit the virtual IP that works fine. I've attached an ASM/AWAF security policy to that server.

Enforcement mode = Blocking

Policy Building Learning mode = Manual

I've included every attack signature group to the policy and moved all signatures out of staging to Enforced. I'm trying to get any signature to fire at this point. Any easy one should be to trigger 200010468 ("/etc/passwd" access URI) or 200010156 ("passwd.txt" access). When requesting either URI, ASM is allowing the requests through. Looking at the log for one of the requests, I can see that it does trigger the /etc/passwd signature, but apparently is still in staging:

Decoded Request

Request actual size: 85 bytes

GET /etc/passwd HTTP/1.1 Host: 192.168.5.5 User-Agent: curl/7.64.0 Accept: */*

Response

Response logging was disabled

Violation Details

Attack signature detected [2]

Detected Keyword

/etc/passwd

Attack Signature"/etc/passwd" access (URI)
ContextURL
Actual URL/etc/passwd
Wildcard URL*  -  Staging
Applied Blocking SettingsStaging

 

Am I missing a setting somewhere? This is the status for that particular signature in my security policy:

 "/etc/passwd" access (URI)      200010468    Enforced

  • Hello , 

    I belive it's not blocking because , in the list of the urls , you have a wild card url : * , and this wildcard is on staging . 

    So to block ( special charachter , method , or attack signature in the context ) in the context , it should not be on staging . 

    the same as well for parameters , 
    Please let me know if it's something else ^^ 

     

    regards ,