Forum Discussion
NimbostratusNo log a specific active signature on ASM
Hi all,
On my application I receive many http request by the Microsoft Office autodiscovery tool. The WAF detect a LDAP injection because on XML request the sender put the /o=xxxxx/ou=xxxxx/cn=xxxxx information.
I would like to block this traffic (because the URL is not present on my WebApp) but I would not log the signature LDAP injection attempt ( cn ) 200005006.
In following you can see the http requests that I would block but not log.
POST /autodiscover/autodiscover.xml HTTP/1.1 Content-Type: text/xml User-Agent: Microsoft Office/15.0 (Windows NT 6.1; Microsoft Outlook 15.0.4659; Pro)
/o=xxxxx/ou=xxxxx/cn=xxxxx/cn=xxxxxhttp://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a
Thank you all
3 Replies
natheCirrocumulus
Could you add /autodiscover/* as a Disallowed URL? Of course you would still get Illegal URLs logged. If you didn't want to see this at all you may want to have an irule on the VIP to drop traffic to /autodiscover/
Hope this helps,
N
TortiCirrus
I recommend an iurle to blog the uri "/autodiscover/autodiscover.xml". Because the 'violation' is automatic generated by a program. So for me, it isn't a 'security violation', but Disallowed URLs generate a log entry.
libri_elio_1583Thank you all!
based on your feedback I assume that you cannot block without logging an http request on ASM
