Forum Discussion

PeterHession's avatar
PeterHession
Icon for Nimbostratus rankNimbostratus
Mar 18, 2019

Turn off Specific ASM Signatures for a Cookie

Running 12.1.x and am trying to figure out how to turn off specific signatures from firing for values of a specific cookie.

 

The cookie in question is placed by third party performance monitoring software and often times what is put in those cookies contains information about the URLs or other objects on the page, causing a variety of path traversal and XSS signatures to go off. This cookie can be placed under various circumstances for various URLs and gets sent on a variety of requests (form data, JSON, multi-part, etc) always with the same name. It does not appear on every request.

 

I tried setting up the cookie name as a parameter and turning off the signatures that way but that of course doesn't work since its not really a posted or URL parameter. I'm not going to disable this wide swath of signatures for the entire site, so that's not an option. I saw previous DevCentral responses for 11.x stating that you could use Content Profiles. I set up a JSON profile and associated it with the * URL to be turned on when the cookie is present and confirmed that this will stop those signatures from firing. However this doesn't really work since the requests with that cookie can be any type of content in the post and I can't set a profile for normal post data, additionally this turns it off for all fields instead of just for the cookie. I'd also like to avoid using LTM policy to switch ASM policies based on the cookie presence and have to manage multiple policies for something seemingly this simple.

 

Is there any official non-kludgy way of turning off specific ASM attack signatures for a specific cookie?

 

No RepliesBe the first to reply