Forum Discussion
CirrusTurning off a single Attack Signature for a specific URL and Parameter
Hi All, I am running 11.2.1 code ( yes, a little old ) and have two particular Attack SQLi attack signatures that are firing on false positives ( SQL-INJ 1,1,1 and SQL-INJ "select 0x") and the same Virtual Server which shares a few different applications/pools.
The first one, SQL-INJ 1,1,1, is firing on a particular URL /docs/uploads due to the content being upload is a JSON format. The second one, SQL-INJ "select 0x" has fired off several times due to the paramater value "vehicleSelection" sometimes containing the value 0X.
Two questions:
1. Can I turn off a single signature for a particular URL but leave all other signatures still active ?
2. Can I turn off a single signature for a particular parameter but leave all other signatures still active ?4 Replies
natheCirrocumulus
- Can I turn off a single signature for a particular URL but leave all other signatures still active ?
Answer - I don't believe you can. One way would be to have a different security policy for this URL and have the attack signature disabled globally. Might be over-complicating matters but nothing else springs to mind.
- Can I turn off a single signature for a particular parameter but leave all other signatures still active ?
Answer - absolutely. Create an explicit parameter and then go to its properties, under Attack Signatures tab move the offending attack signature to the Override box and select Disabled.
Hope this helps,
N
Drew_128543Nimbostratus
For question 1: In 11.5+ you can use the iRule even APM_REQUEST_DONE along with ASM::unblock inside your URI logic to allow a particular violation through.
" target="_blank">Here is an example.
danielpennaThanks Drew/Nathan..appreciate the help
- shaggy
i've handled scenarios similar to 1 by creating a wildcard parameter that's at the URL Parameter Level (instead of global) and disabling signatures on that parameter.
