Forum Discussion
Abed_AL-R
Cirrostratus
CirrostratusF5 ASM appears not blocking filetypes in http query
F5 v15.1.3.1 My F5 ASM policy is configured to block command executions and illegal file types but for example if I try to browse this url: https://my.web.site/netstat.exe Then ASM blocks the re...
Abed_AL-RCirrostratus
Cirrostratusthanks for the reply
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?
and how should I act on positional parameters to block these kind of request?
Samir
MVP
MVPdo you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.
and how should I act on positional parameters to block these kind of request?
- Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
- Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
- Parameter Level: URL, URL Path: GET, Location: Query string, Parameter Value Type: User-input values, Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$
Hope it will work.
- Abed_AL-R
Hi
Thanks for your response
That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:
1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$ 2)_ Create Attack Signature List Security ›› Options : Application Security : Attack Signatures : Attack Signatures List 3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature. Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets 4)_ Enforce the Signature in the policy Security ›› Application Security : Security Policies : Policies List ›› <Policy_name> >> Attack Signatures