How to exclude ASM signatures with "Attack Type: Command Execution"

Question

We have recently installed ASM (its great fun) and are currently baselining a dozen or so web apps, using the policy learning feature (with wildcards on most things) we have managed to find a healthy point of protection vs false positives (one example is a student information system) .. however.. the ASM signatures with "Attack Type: Command Execution" do some pretty basic checks for words like "perl" or "ruby" which often appear in parameters as peoples names, or in our issue tracking software when our developers are recording notes we see "bash" etc matched.
The challange is that whilst we can simply "ignore" these one at a time it doesnt scale well and it would make more sense to simply be able to do an != style match using the metadata of the attack-set.&nbsp;
For example;&nbsp;
We want to 'subscribe' to the ever growing sets like ;
Systems: Apache, Oracle, Unix/Linux... as to keep up with the latest threats &nbsp;
but.. at the same time want to NOT match any signature of type&nbsp;
!= "Attack Type: Command Execution"&nbsp;
Im aware that under "Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets  ››  Signature Set Properties" you can swap the 'type' to 'manual' but this requires ongoing manual work&nbsp;
Ideally under each Policies "Security  ››  Application Security : Attack Signatures : Attack Signatures Configuration" you could set an invert as part of the "Attack Signature Sets Assignment"&nbsp;
Any thoughts?&nbsp;

simons_84965 · Answer

I can see that under "Security  ››  Application Security : Parameters : Parameters List  ››  Parameter Properties" you can simply disable signatures individually (or as a whole) for 1 (or * ) parameters.. it dosent seem to let you select from a signature-set thought.. just individuals..

simons_84965 · Answer

Ive been advised that this isnt really possible (i did mention it would make a nice feature) , the suggestion from F5 was that this is better handled per/paramter .. which dosent help if you (as i am) running wildcard(*) .. im going to try a redesign to see if i can achieve the same requirements via a different approach.

gsharri · Answer

Is this what you want?:&nbsp;
If you go to Security&gt;Application Security&gt;Attack Signatures&gt;Attack Signatures list and click on "Show filter details" you can filter for "Attack type: Command Execution". Then click "change properties" at the bottom of the page and you can disable all the signatures that match the filter.&nbsp;

Forum Discussion

How to exclude ASM signatures with "Attack Type: Command Execution"

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Related Content

Real Attack Stories: The "MOP Sink" Attack

Automate ASM "Ready to Be Enforced" Attack Signatures

November Security Research Update: Newly Released Attack Signatures

Is the update and application of new AWAF attack signatures "Service Affecting"?

NGINX App Protect v5 Signature Notifications

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS