Forum Discussion
swo0sh_gt_13163
Altostratus
AltostratusMultiple violaions for File-upload behind ASM
Hello Folks,
I am experiencing quite weird behavior with F5 ASM on 11.6.0 HF6 with one of the customers. The issue is, ASM is detecting file uploading as a malicious traffic and triggering multiple different signatures.
Though I have created a file uploading parameter, which found from the HTTP REQUEST HEADER within "multipart/form-data". However it seems ineffective. Following is the complete HTTP REQUEST.
POST /epublicsector_ara/start.swe?SRN=KLyBkgFt7u1DMFqJX4yyLqXNbSyceuTBcqcSB4KzKcgb HTTP/1.1
SWESession: TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b250cc5c5419ac4c3d1645b0be3eeda26635f3e94a2e94ba76915da8199f08ec69d177fcca8a8938559fa14b5b3940f9c495
Content-Type: multipart/form-data; boundary=------------------------------1453093530
Content-Length: 88852
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
Host: 1gov.abudhabi.ae
Cache-Control: no-cache
Cookie: _sn=OQ0ZDiRGueyA88dyhdKGs6B4gHCYXPRHfrMe6zxEYnLS.JwbT1OMP8iVOAg1ZaB7IYpcyX4IlQQxNAOTGpU7yqT0StvTXa6ssmT1YcV3ZU9wrDSMvchu6DPcDAzDPFDGLkZhsJmNzJh.Rp23kIB.N84iEdgjsExDoNe5GryIJzDcJypyYJaZuAQnhFZAXqs4alaabrpoH4Y_; TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b2504813b2ac7dbc505636fef65aa62b48dadbd2f087624e744621fcb2297ee21aaf7d873a84e117fc409408d273ef1a6af2
X-Forwarded-For: 10.113.0.25
------------------------------1453093530
Content-Disposition: form-data; name="SWEView"
HLS Case Note View
------------------------------1453093530
Content-Disposition: form-data; name="SWEApplet"
HLS Case Attachment Applet
------------------------------1453093530
Content-Disposition: form-data; name="SWERowIds"
SWERowId0=1-KUA4ND
------------------------------1453093530
Content-Disposition: form-data; name="SWECmd"
InvokeMethod
------------------------------1453093530
Content-Disposition: form-data; name="SWEMethod"
NewFileAttachment
------------------------------1453093530
Content-Disposition: form-data; name="SWERPC"
1
------------------------------1453093530
Content-Disposition: form-data; name="s_SweFileName"; filename="C:%5cUsers%5cm.rashed%5cDesktop%5cNew%20folder%20(7)%5c%d8%a8%d9%82%d8%a7%d9%84%d8%a9.pdf"
Content-Type: application/octet-stream
%PDF-1.4
1 0 obj
<<
/Creator (Oracle11gR1 AS Reports Services)
/CreationDate (D:20151004082642)
/ModDate (D:20151004082642)
/Producer (Oracle PDF driver)
/Title ()
/Author (Oracle Reports)
>>
endobj
5 0 obj
<>
...
.......
The File Uploading Parameter I have created is
"s_SweFileName"https://devcentral.f5.com/articles/file-uploads-and-asm
Can anyone help me fine-tuning / understanding what needs to be done to avoid this false positive? It is tedious job to keep on ignoring all the signatures and also relaxing security to that level is not acceptable, right?
Looking for your help.
Thank you, Darshan
swo0sh_gt_13163Can anyone please reply to this thread?
- draco
Nimbostratus
Hi
did you get this to work ?
boneyardMVP
i would advise you to start a new question with your specific details, i have doubts you are running the same version and exact same website. so share your details, provide the violation information exact as shown and perhaps some can help here.
Tom_Desmet_1396We are experiencing the same problem. Can somebody please have a look at this?
Thanks !