Forum Discussion
SalishSeaSecurity
Altostratus
AltostratusManaging false positives in WAF policy
Situation overview: 1) a Wordpress server that has always been under heavy attack was recently moved behind a F5 WAF 2) the WAF is dropping malicious traffic (thank you F5!) 3) the WAF is also dro...
SalishSeaSecurityAltostratus
AltostratusThank you for the clarification. I did look at defining a custom parameter. Unfortunately, it would have been "content". LOL
I wound up writing an iRule that extracts WordPress user ids from cookies to "class match" them against a data group of authorized users.
AaronJB
SIRT
SIRTIf you have a manageable list of valid users and you trust the authentication, that's a neat fix 🙂
I recently found an old (Wordpress 4.x!) ASM policy template knocking around and took a look at it - although it no longer imports due to schema changes, it is an XML export so you can inspect it manually - and even that policy hasn't defined any specific parameters, just the wildcards present in the base policies, and your problematic signature is enabled in the policy.. but it was a nice thought while it lasted! (Policy is here if you're interested: https://github.com/f5devcentral/f5-asm-policy-templates/blob/master/application_ready_template/WordPress_4/WordPress_v4_Ready_Template_v6.1.6_v13.xml)