Forum Discussion
F5 rules for AWS WAF - F5-CVE_Managed rule group Logs
I was finally able to find in the log entries for the exploit attempt and it looks like that it's not matching any of the rules in the rule groups especially not by F5-CVE_Managed. Since we don't control the rules in these rule groups what can I do to make sure these attemps (Apache Struts vulnerability (CVE-2017-5638)) are blocked by the F5-CVE_Managed rule group?
Generate such an attack and the default action should be "Block" and see that it is blocked and I do not think you will need to overide it as I mentioned it should be "Block" by default. This is it, you have less control with the AWS WAF and more with F5 Advanced WAF or Nginx + with App Protect WAF as cloud native services are like this.
- will-willJun 23, 2022Altocumulus
Hi Nikoolayy1 , that's the thing, the attacks happen daily, but are getting allowed since they aren't getting picked up by the F5 rule. Since there is no control over the rule I wonder if there is something wrong with the rule group? How would I check?
- Nikoolayy1Jun 23, 2022MVP
will-will I think I mentioned the limitations of the AWS WAF. You overide the default action to Block just in case or write your own rule to block the attack or check with the F5 support if you can open a case but I don't know any other way and this is why I stopped trying to use the AWS WAF even with F5 rules as it is too limited.
You can still also check the version of the rules or try the F5 AWS WAF Bot protection rules (I will not even try the AWS WAF native bot rules as changing the user agent header to a known web browser I managed to bypass it when I played with it)
https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html
https://aws.amazon.com/marketplace/pp/prodview-p67737yco45uq
Still outside of that you can play with nginx + app protect or the F5 distributed cloud as they are not so expensive solutions and F5 cloud has a cheap plan like 25$ that Includes WAF rules or nginx app protect has trial version and so does F5 Advanced WAF and with BIG-IQ and F5 Cloud edtion it can autoscale as a native service (you can check with the F5 sales).
https://www.f5.com/cloud/pricing
https://www.nginx.com/pricing/
This is what I can help you and if someone has better ideas they can share them.
- will-willJun 23, 2022Altocumulus
Thank you Nikoolayy1 for your advice. I think I'm going to make my own rule to block in the meantime, and open a support ticket with F5. Do you know how to open a ticket with F5 support, since they direct all support to this forum? Maybe I have to go through AWS support and they can open a ticket with F5.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com