Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusAttack Signature False Positive Mode
There is an option under learning and blocking settings for : Attack Signature False Positive Mode Note: If a signature false-positive is allowed this signature will not block the request. ...
Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.
Erik_Novak
Employee
EmployeeIn some cases, attack signatures may match benign input detected on requests for URLs,
parameter values, header values, etc. which result in false positive violations. To reduce the likelihood of this problem, you can configure false positive mode which creates similarity patterns that correspond to frequently detected traffic inputs. If it is discovered that an attack signature has matched input that corresponds to one of these frequent similarity patterns, this signature match is considered a false positive. This signature match will not block a request if no other blocking violations were detected.
THE_BLUECirrostratus
Cirrostratusso is this mean the WAF will create the pattern of false positive ? based on what? and this will not affect the real attack attempts?