Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusAttack Signature False Positive Mode
There is an option under learning and blocking settings for :
Attack Signature False Positive Mode
Note: If a signature false-positive is allowed this signature will not block the request.
so is this mean, the F5 will detect if it is false positive then will detect and allow ( based on my selection) and if it is real attack then it will be blocked? if yes then how the F5 say it's false positive or real attack.
Does this will minimize the false positive? it is recommended to activate it?
Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.
Erik_NovakEmployee
Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.
- Erik_Novak
In some cases, attack signatures may match benign input detected on requests for URLs,
parameter values, header values, etc. which result in false positive violations. To reduce the likelihood of this problem, you can configure false positive mode which creates similarity patterns that correspond to frequently detected traffic inputs. If it is discovered that an attack signature has matched input that corresponds to one of these frequent similarity patterns, this signature match is considered a false positive. This signature match will not block a request if no other blocking violations were detected.
THE_BLUEso is this mean the WAF will create the pattern of false positive ? based on what? and this will not affect the real attack attempts?
- Erik_Novak
The system is designed to establish optimal baseline similarity after gathering data for about 12 hours. The data is recalculated at regular intervals during that 12 hour period and continually updated. You won't see anything regarding false positives in the event log. However, there is a tmstat table called "asm_similarity_pattern" that can be used (for debugging only.) You will need to define the maximum number of rows the table will have by adding an internal parameter:
/usr/share/ts/bin/add_del_internal add similarity_pattern_max_tmstat_rows 100
Restart the ASM service (tmsh bigstart restart asm)
Send some traffic and the review the table:
tmctl asm_similarity_pattern