For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SalishSeaSecurity's avatar
SalishSeaSecurity
Icon for Altostratus rankAltostratus
Aug 10, 2022

Managing false positives in WAF policy

Situation overview: 1) a Wordpress server that has always been under heavy attack was recently moved behind a F5 WAF 2) the WAF is dropping malicious traffic (thank you F5!) 3) the WAF is also dro...
security
waf
SalishSeaSecurity's avatar
SalishSeaSecurity
Icon for Altostratus rankAltostratus
Aug 17, 2022

Thank you for the clarification.  I did look at defining a custom parameter. Unfortunately, it would have been "content".  LOL

I wound up writing an iRule that extracts WordPress user ids from cookies to "class match" them against a data group of authorized users.  

AaronJB's avatar
AaronJB
Ret. Employee
Aug 19, 2022

If you have a manageable list of valid users and you trust the authentication, that's a neat fix 🙂

I recently found an old (Wordpress 4.x!) ASM policy template knocking around and took a look at it - although it no longer imports due to schema changes, it is an XML export so you can inspect it manually - and even that policy hasn't defined any specific parameters, just the wildcards present in the base policies, and your problematic signature is enabled in the policy.. but it was a nice thought while it lasted! (Policy is here if you're interested: https://github.com/f5devcentral/f5-asm-policy-templates/blob/master/application_ready_template/WordPress_4/WordPress_v4_Ready_Template_v6.1.6_v13.xml)