Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Mar 23, 2022

F5 ASM appears not blocking filetypes in http query

F5 v15.1.3.1 My F5 ASM policy is configured to block command executions and illegal file types but for example if I try to browse this url: https://my.web.site/netstat.exe  Then ASM blocks the re...
asm
f5
file types
security
Samir's avatar
Samir
Icon for MVP rankMVP
Mar 23, 2022

Good question.. 

1. https://my.web.site/netstat.exe  ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request. 

 

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Mar 23, 2022

    thanks for the reply

    do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?

    and how should I act on positional parameters to block these kind of request?

    • Samir's avatar
      Samir
      Icon for MVP rankMVP
      Mar 23, 2022

      do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

      and how should I act on positional parameters to block these kind of request?

      1. Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
      2. Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
      3. Parameter Level: URL, URL Path: GET, Location: Query string,  Parameter Value Type: User-input values,  Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$ 

      Hope it will work.

      • Abed_AL-R's avatar
        Abed_AL-R
        Icon for Cirrostratus rankCirrostratus
        Mar 31, 2022

        Hi

        Thanks for your response

        That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:

        1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$

2)_ Create Attack Signature List
    Security  ››  Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
    Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy
    Security  ››  Application Security : Security Policies : Policies List  ››  <Policy_name>  >> Attack Signatures