Forum Discussion

PeterHession's avatar
PeterHession
Icon for Nimbostratus rankNimbostratus
Feb 18, 2019

ASM Signature Update 02/08/2019 Contains Incorrect Command Execution Signatures

The 2/8/19 signature update available on F5 Downloads (shows a create date of 1/22/19 in the F5 UI) has some questionable updates for Command Execution signatures on parameters that cause a large amount of false positives.

 

Instead of properly checking to see if a parameter contains a real command execution attempt, it is just firing on anything containing a the string that matches the command name. It's so bad that the sig for g++ will go off every time there is a " g " in a parameter being posted.

 

This has been confirmed on 12.1.X

 

I would suggest skipping this update until they address. If installed, my suggestion would be to disable all signatures with the string "execution attempt" in the title that relates to parameters (likely leave URL and Header sigs active, not getting false positives on those but ymmv) and contain a command that resembles a human word or is 3 characters or less. If not too labor intensive it would likely be better to disable on a parameter basis. Even if you have these signatures in staging, you may not get all possible values in your staging traffic so the next time you get a user with the name of "Pico", they could be blocked.

 

Because we are on 12.x we had been setup to not put update signatures into staging because we didn't want to loose coverage, after years of that working perfectly for us, this update came and basically locked out our applications.

 

Working with support on this, will update.

 

  • Just updated to ASM-SignatureFile_20190219_153131 and what a nightmare! the g++ one you mention is absolutely awful. Any common Linux words in cookies/referrers and alerts trip. Currently staging these, but I don't know how to go forward as the new attack signatures are so bad. Never had any problems in the past.

     

  • Just wanted to note that you can backout your signatures by installing the previous update from before 2/8/19. You can get the signature file manually from . It will remove the signatures that had bad updates. You will also need to turn off auto-updates to make sure it doesn't get overwritten until F5 puts out a sig release to address.

     

  • I have backed out to ASM-SignatureFile_20190114_163855. We are a retail site and basically any url, referrer or cookie etc with "head,ps,ls,cut,date,touch,cat etc." in anywhere (and there are a lot) is potentially blocked! Presumably I won't be updating the pattern file for a long time (if ever).

     

  • Thank you all for your comments about this happening, this is really helping escalate this within f5. Please open support cases if you can. I'm unable to provide f5 with as many examples of blocked requests as they need since our blocked requests involve sensitive customer data.

     

  • I suggest you raise an incident with F5 support immediately if you haven't done it yet - support@

     

  • All examples are full of customer data. Here are sample few that I have anonymized:

     

    "Attack Signature Staged ID 200003143 Name "link" execution attempt Context Cookie Cookie Name __abcd Cookie Value 2455013.155280.1.1.xyzcsr=click.jklsearch.net|qweccn=(referral)|qwecmd=referral|qwecct=/link/click"

     

    "Attack Signature Staged ID 200003031 Name "ps" execution attempt Context Parameter (detected in POST Data)

     

    Parameter Level Global

     

    Parameter Name act_num Parameter Value ps.johndoe@testtesttest.com"

     

    "Attack Signature Staged ID 200003094 Name "head" execution attempt Context Cookie Cookie Name __abcd Cookie Value 16234634606.134634666.8.9.xyzcsr=test.co.uk|xyzccn=(referral)|xyzcmd=referral|xyzcct=/products/wall-mounted-plush-deer-head/_/12345678"

     

    "Attack Signature Staged ID 200003085 Name "date" execution attempt Context Cookie Cookie Name __abcd Cookie Value 237757.15457567.6.7.xyzcsr=GoogleProductList|xyzccn=HouseAndGarden_Trees|xyzcmd=PLA|xyzctr=date0x20palm|xyzcct=9876543"

     

    "Attack Signature Staged ID 200003136 Name "cut" execution attempt Context Cookie Cookie Name __abcd Cookie Value 66546456.15456456.7.7.xyzcsr=test.com|xyzccn=(referral)|xyzcmd=referral|xyzcct=/products/laser-cut-dress/44444444"

     

    "Attack Signature Staged ID 200003156 Name "touch" execution attempt Context Cookie Cookie Name __aaaa_ca Cookie Value so=testref.space&me=referral&ca=referral&co=;

     

  • Please update to the ASU released: ASM-SignatureFile_20190304_153833 and review the readme for a list of the Command Execution Signatures updated.