For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mister_C's avatar
Mister_C
Icon for Nimbostratus rankNimbostratus
Sep 09, 2015

Disable an attack signature

I'm in need of a solution that will allow me to disable specific attack signature (200003031) per WAF policy without impacting the remaining WAF policies that utilize attack signature: 200003031.

 

Also the current WAF policy is currently set to NOT block for "ASM Cookie Hijacking". Its only set to LEARN and ALERT.

 

Not sure why the support ID revealed that attack signature 200003031 was violated (if blocking was NOT checked).

 

Any help and or explanation on this would be greatly appreciated.

 

ASM Advanced WAF
management
security

3 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 09, 2015

    Mister C,

     

    If, within the GUI you can disable Attack Signatures from the policy itself, and this won't affect other policies that have the signature in its database. Open your policy and go to Application Security - Attack Signatures - Attack Signatures list. Search for the signature and click on it. Uncheck the Enabled box. Apply Policy.

     

    On a seperate note, an Attack signature being triggered is different from other violations, say ASM cookie highjacking. Both violation types have their own Learn, alarm and blocking settings.

     

    Hope this helps,

     

    N

     

  • Mister_C's avatar
    Mister_C
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2015

    Thanks.

     

    I disabled the signature earlier this morning and all seems to be working without impacting the other policies.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Sep 09, 2015
      Good news. thanks for updating the post