Forum Discussion
will-will
Altocumulus
AltocumulusF5 rules for AWS WAF - F5-CVE_Managed rule group Logs
Hello, I've contacted AWS support regarding the WAF and your specific rule group, and AWS suggested I reach out here for specific questions regarding the F5 managed rule. I asked the following quest...
Nikoolayy1
MVP
MVPGenerate such an attack and the default action should be "Block" and see that it is blocked and I do not think you will need to overide it as I mentioned it should be "Block" by default. This is it, you have less control with the AWS WAF and more with F5 Advanced WAF or Nginx + with App Protect WAF as cloud native services are like this.
will-willAltocumulus
AltocumulusHi Nikoolayy1 , that's the thing, the attacks happen daily, but are getting allowed since they aren't getting picked up by the F5 rule. Since there is no control over the rule I wonder if there is something wrong with the rule group? How would I check?
- Nikoolayy1
will-will I think I mentioned the limitations of the AWS WAF. You overide the default action to Block just in case or write your own rule to block the attack or check with the F5 support if you can open a case but I don't know any other way and this is why I stopped trying to use the AWS WAF even with F5 rules as it is too limited.
You can still also check the version of the rules or try the F5 AWS WAF Bot protection rules (I will not even try the AWS WAF native bot rules as changing the user agent header to a known web browser I managed to bypass it when I played with it)
https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups-versioning.html
https://aws.amazon.com/marketplace/pp/prodview-p67737yco45uq
Still outside of that you can play with nginx + app protect or the F5 distributed cloud as they are not so expensive solutions and F5 cloud has a cheap plan like 25$ that Includes WAF rules or nginx app protect has trial version and so does F5 Advanced WAF and with BIG-IQ and F5 Cloud edtion it can autoscale as a native service (you can check with the F5 sales).
https://www.f5.com/cloud/pricing
https://www.nginx.com/pricing/
This is what I can help you and if someone has better ideas they can share them.
- will-will
Thank you Nikoolayy1 for your advice. I think I'm going to make my own rule to block in the meantime, and open a support ticket with F5. Do you know how to open a ticket with F5 support, since they direct all support to this forum? Maybe I have to go through AWS support and they can open a ticket with F5.