Forum Discussion

Nimbostratus

Jul 08, 2010

Attack signature not triggered

Hello, We had a visit from an attacker last night and ASM did not trigger on this URI: /content/job-details.php?id=-49893%20UNION%20SELECT%20CHAR(97,102,56,56,48,48,55,53,97,97)--1...

app sec

BIG-IP Access Policy Manager (APM)

security

hoolio

Cirrostratus

Jul 08, 2010

Hi Ian,

I tried testing with a parameter value set to -49893%20UNION%20SELECT%20CHAR(97,102,56,56,48,48,55,53,97,97)--1040 and see two signatures triggered:

SQL-INJ "UNION SELECT" (Parameter) 200000073

SQL-INJ CHAR() 200002270

Can you confirm these two signatures are enabled in your policy under the Attack Signatures | Policy Attack Signatures? If so, are they still enabled on the id or global * parameter? Does the parameter that the request matched have checks enabled?

If you want to email me the full request info page, I can take a quick look today.

Aaron

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Attack signature not triggered

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

Efficient Method to Compare F5 Configurations

F5 Big-IQ read-only API username creation.

email alert when service restarts

all possible Domain names that F5 may need to communicate to

irule that presents certificate doesn´ t run in TLSv1.3

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

NGINX App Protect v5 Signature Notifications

Live Update- ASM attack signatures

Default Attack Signature Sets

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS