Forum Discussion
eagertolearn
Nimbostratus
NimbostratusAttack Analysis- ASM
Hello Everybody,
This is for F5 ASM, Recently while tracing a support ID we came to know that user request was blocked due to suspected SQL injection attack for other support ID it was blocked due to suspected cross site scripting attack. I am using word "suspected" as we were unable to find whether these were really attack of just a false positive incident.
Stucked on how to analyse that attack is a genuine or false one. in other words I am looking for a keyword may either or request / response which can clear indicates that it's a malicious hits only.
Rgds
***
Hi eagertolearn,
Analyzing requests with violations
To review requests with violations, you need to have a security policy that is already handling traffic that is causing violations. If no violations have occurred, you will not see illegal requests listed in the Requests List.
In the Requests List event log, you can view details about a request, including viewing the violation rating, the full request itself, and any violations associated with it. You can also drill down to view detailed descriptions of the violations and potential attacks. When viewing details about an illegal request, if you decide that the request is trusted and you want to allow it, you can accept the violations shown for this specific request.
Please refer below the detail article for more understanding.
If it help resolve your query rate and mark it as solution for the befit of other readers.
HTH
🙏
