Forum Discussion
NimbostratusF5 Web Application CVE Signatures For AWS WAF - FALSE POSITIVE
I am using AWS and implemented the “F5 Web Application CVE Signatures For AWS WAF” manage rule from AWS marketplace.
I am copying the sample request that is false positive from the AWS WAF console.
201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:49:50 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2678 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34464&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1
201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:50:46 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2689 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34480&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1
The rule block me when I tried to update a course configuration in Moodle. Bellow, I am sharing a web form where the rule is blocking.
EdgardoDeGraci1There is no solution to this false positive? Is not possible to update a simple quiz activity in Moodle thanks to this AWS rule?
- boneyard
MVP
i would contact F5 support about it if you can.
im not very familiar with ASM in AWS, you can't disable that one signature?
- EdgardoDeGraci1
I contacted F5 support and told me to post this issue as a question on DevCentral. The only solution I found is to change my subscription in AWS to another provider of WAF RuleGroups.
Please follow the procedure detailed in K21015971: Overview of F5 RuleGroups for AWS WAF
Reporting false positives on DevCentral
With full request logging you can now report on a rule that generates too many false positives. To report false positives, complete the following:
- Log three to five requests that the rule has flagged as malicious requests.
- Make sure that the requests do not contain any sensitive information; if they do, please mask the sensitive data with ****.
- Attach the requests to a message (Ask a Question) on the DevCentral Answers forum.
