Forum Discussion
SalishSeaSecurity
Altostratus
AltostratusManaging false positives in WAF policy
Situation overview: 1) a Wordpress server that has always been under heavy attack was recently moved behind a F5 WAF 2) the WAF is dropping malicious traffic (thank you F5!) 3) the WAF is also dro...
AaronJB
SIRT
SIRTYou're right in your thinking - if you accept that suggestion, ASM will disable that specific signature on the Wildcard parameter, which is probably not the most ideal move.
Would it be possible to create a specific parameter in the policy and then disable the signature on that? You'd get fine grained control of signatures that way, and only disable the problematic signatures on what is expected to be free-text input (as you've found XSS & SQL injection signatures can be problematic on things like blog content where natural language or mark-up can quite often collide with signatures).
There isn't a mechanism (AFAIK) to tie the enforcement of signatures back to cookies or authenticated users (which, reading between the lines, seems to be what you're aiming for), but something you might like to investigate is the Session Awareness functionality. Using that and the Delayed Blocking feature could allow you to suppress the blocking action for users with valid sessions for a given number of violations in a defined time period; assuming that a user isn't going to sit there submitting content rapid-fire, of course! Would that get you closer?
SalishSeaSecurityThank you for the clarification. I did look at defining a custom parameter. Unfortunately, it would have been "content". LOL
I wound up writing an iRule that extracts WordPress user ids from cookies to "class match" them against a data group of authorized users.
- AaronJB
If you have a manageable list of valid users and you trust the authentication, that's a neat fix 🙂
I recently found an old (Wordpress 4.x!) ASM policy template knocking around and took a look at it - although it no longer imports due to schema changes, it is an XML export so you can inspect it manually - and even that policy hasn't defined any specific parameters, just the wildcards present in the base policies, and your problematic signature is enabled in the policy.. but it was a nice thought while it lasted! (Policy is here if you're interested: https://github.com/f5devcentral/f5-asm-policy-templates/blob/master/application_ready_template/WordPress_4/WordPress_v4_Ready_Template_v6.1.6_v13.xml)