Forum Discussion

will-will's avatar
will-will
Icon for Altocumulus rankAltocumulus
Jun 17, 2022

F5 rules for AWS WAF - F5-CVE_Managed rule group Logs

Hello, I've contacted AWS support regarding the WAF and your specific rule group, and AWS suggested I reach out here for specific questions regarding the F5 managed rule. I asked the following quest...
cloud
security
will-will's avatar
will-will
Icon for Altocumulus rankAltocumulus
Jun 22, 2022

I was finally able to find in the log entries for the exploit attempt and it looks like that it's not matching any of the rules in the rule groups especially not by F5-CVE_Managed. Since we don't control the rules in these rule groups what can I do to make sure these attemps (Apache Struts vulnerability (CVE-2017-5638)) are blocked by the F5-CVE_Managed rule group?

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jun 23, 2022

    Generate such an attack and the default action should be "Block" and see that it is blocked and I do not think you will need to overide it as I mentioned it should be "Block" by default. This is it, you have less control with the AWS WAF and more with F5 Advanced WAF or Nginx + with App Protect WAF as cloud native services are like this.

    • will-will's avatar
      will-will
      Icon for Altocumulus rankAltocumulus
      Jun 23, 2022

      Hi Nikoolayy1 , that's the thing, the attacks happen daily, but are getting allowed since they aren't getting picked up by the F5 rule. Since there is no control over the rule I wonder if there is something wrong with the rule group? How would I check?

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP
        Jun 23, 2022

        will-will  I think I mentioned the limitations of the AWS WAF. You overide the default action to Block just in case or write your own rule to block the attack or check with the F5 support if you can open a case but I don't know any other way and this is why I stopped trying to use the AWS WAF even with F5 rules as it is too limited.

         

         

        You can still also check the version of the rules or try the F5 AWS WAF Bot protection rules (I will not even try the AWS WAF native bot rules as changing the user agent header to a known web browser I managed to bypass it when I played with it)

         

        https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html

         

        https://aws.amazon.com/marketplace/pp/prodview-p67737yco45uq

         

         

        Still outside of that you can play with nginx + app protect or the F5 distributed cloud as they are not so expensive solutions and F5 cloud has a cheap plan like 25$ that Includes WAF rules or nginx app protect has trial version and so does F5 Advanced WAF and with BIG-IQ and F5 Cloud edtion it can autoscale as a native service (you can check with the F5 sales).

         

        https://www.f5.com/cloud/pricing

        https://www.nginx.com/pricing/

        https://www.f5.com/trials

        This is what I can help you and if someone has better ideas they can share them.