Forum Discussion

Nimbostratus

May 22, 2013

SQL-INJ "drop Schema" reporting in ASM 11.3

All, In our 11.3 ASM, we triped an attack signiture detected for the following. Looking to understand why this registered? I see schema included as part of the parameter value, but is tha...

app sec

BIG-IP Access Policy Manager (APM)

security

Chris_Campbell1

Cirrus

May 23, 2013

Depending on the signature it can be a keyword type or a regex type (you can see all the signature options here: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_apx_attack_sig_syntax.html1005373) so it's certainly enough to say that if the signature was matched then a suspicious value was found. Having said that you need a full understanding of the application to say whether the particular match was a false positive or not. Usually the source of the attack gives you some clue, was this from an authenticated user? Can you find out who that user is and speak to them?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)