Forum Discussion
natethegreat_23
Nimbostratus
NimbostratusCan I allow Buffer Overflow attack signatures in just an XML request?
The website has an upload page where people can submit receipts. The request looks like this:
4AAQSkD6RXhpZgAuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....
We have determined that the "A"s represent the white space in the image and since it is a receipt, a large area of it is white, but this is throwing the Generic buffer overflow attempt 1 attack signature due to the large sequence of "A"s. The question is if there is a way to just turn off this signature for this URI. Since the overflow false positive is in the XML I do not know of a way to do this, and we do not what to have to turn off buffer overflow signatures for the whole site. We only have one policy for the whole site and are unable to use the LTM side to split up the traffic to different policies. Thank you.
gsharriAltostratus
You can create an XML content profile, disable the attack signature in it and then assign the profile to a URL in your security policy.
You didn't say what version you are running. Here is some info for version 12.0. The config is basically the same for other versions:
Fine-tuning Advanced XML Security Policy Settings
Gerlan_32355Hi Scott,
I used this irule to unblock ASM for an URL:
when ASM_REQUEST_DONE {
if {[ASM::violation names] contains "ATTACK_TYPE_BUFFER_OVERFLOW" and (([string tolower [HTTP::uri]] contains "/yourURL"))} {
ASM::unblock
log local0. "ASM unblocking [HTTP::uri]" }
}
look this documentation:
ASM::unblock - https://devcentral.f5.com/wiki/irules.asm__unblock.ashx ASM::violation - https://devcentral.f5.com/wiki/irules.asm__violation.ashx ASM Violation names/tables - https://devcentral.f5.com/wiki/irules.asm__violation_data.ashx ASM_REQUEST_DONE - https://devcentral.f5.com/wiki/iRules.ASM_REQUEST_DONE.ashx HTTP::uri - https://devcentral.f5.com/wiki/iRules.HTTP__uri.ashx