Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Oct 11, 2021

Attack Signature False Positive Mode

There is an option under learning and blocking settings for :

Attack Signature False Positive Mode  

Note: If a signature false-positive is allowed this signature will not block the request.

 

so is this mean, the F5 will detect if it is false positive then will detect and allow ( based on my selection) and if it is real attack then it will be blocked? if yes then how the F5 say it's false positive or real attack.

 

Does this will minimize the false positive? it is recommended to activate it?

  • Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.

  • Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus

      Dear Erik,

      Clear, many thanks. Appreciate your support.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus

      Dear Erik,

      jut question, How long does it take to make sure of that? Also, what can I see if it's false positive ? in event logs?

       

  • In some cases, attack signatures may match benign input detected on requests for URLs, 

    parameter values, header values, etc. which result in false positive violations. To reduce the likelihood of this problem, you can configure false positive mode which creates similarity patterns that correspond to frequently detected traffic inputs. If it is discovered that an attack signature has matched input that corresponds to one of these frequent similarity patterns, this signature match is considered a false positive. This signature match will not block a request if no other blocking violations were detected.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus

      so is this mean the WAF will create the pattern of false positive ? based on what? and this will not affect the real attack attempts?

  • The system is designed to establish optimal baseline similarity after gathering data for about 12 hours. The data is recalculated at regular intervals during that 12 hour period and continually updated. You won't see anything regarding false positives in the event log. However, there is a tmstat table called "asm_similarity_pattern" that can be used (for debugging only.) You will need to define the maximum number of rows the table will have by adding an internal parameter:

     

    /usr/share/ts/bin/add_del_internal add similarity_pattern_max_tmstat_rows 100

     

    Restart the ASM service (tmsh bigstart restart asm)

     

    Send some traffic and the review the table:

     

    tmctl asm_similarity_pattern