Forum Discussion
Turning off a single Attack Signature for a specific URL and Parameter
Hi All, I am running 11.2.1 code ( yes, a little old ) and have two particular Attack SQLi attack signatures that are firing on false positives ( SQL-INJ 1,1,1 and SQL-INJ "select 0x") and the same Virtual Server which shares a few different applications/pools.
The first one, SQL-INJ 1,1,1, is firing on a particular URL /docs/uploads due to the content being upload is a JSON format. The second one, SQL-INJ "select 0x" has fired off several times due to the paramater value "vehicleSelection" sometimes containing the value 0X.
Two questions:
1. Can I turn off a single signature for a particular URL but leave all other signatures still active ?
2. Can I turn off a single signature for a particular parameter but leave all other signatures still active ?4 Replies
- nathe
Cirrocumulus
- Can I turn off a single signature for a particular URL but leave all other signatures still active ?
Answer - I don't believe you can. One way would be to have a different security policy for this URL and have the attack signature disabled globally. Might be over-complicating matters but nothing else springs to mind.
- Can I turn off a single signature for a particular parameter but leave all other signatures still active ?
Answer - absolutely. Create an explicit parameter and then go to its properties, under Attack Signatures tab move the offending attack signature to the Override box and select Disabled.
Hope this helps,
N
- Drew_128543
Nimbostratus
For question 1: In 11.5+ you can use the iRule even APM_REQUEST_DONE along with ASM::unblock inside your URI logic to allow a particular violation through.
" target="_blank">Here is an example.
- danielpenna
Cirrus
Thanks Drew/Nathan..appreciate the help
- shaggy
Nimbostratus
i've handled scenarios similar to 1 by creating a wildcard parameter that's at the URL Parameter Level (instead of global) and disabling signatures on that parameter.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com