Forum Discussion
Attack Signature False Positive Mode
- Oct 14, 2021
Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.
Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.
Dear Erik,
Clear, many thanks. Appreciate your support.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com