Forum Discussion

Nimbostratus

Jan 31, 2022

Analyzing F5 OWASP rule matches

I am seeing lots of requests that match the following rules:
rule_XSS_script_tag__Parameter__AllQueryArguments_Body
rule_div_tag__behavior__Parameter__AllQueryArguments_Body
rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body
rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body

How can I determine why the requests are matching?

#F5 rules for AWS WAF

cloud

F5 Rules for AWS WAF

7 Replies

JRahm
Admin
Jan 31, 2022
Do you have source documentation for what you're referencing? Any details will be helpful, I'll see if I can track this down for you internally.
- tboemker
  Nimbostratus
  Jan 31, 2022
  These rules are part of the F5 OWASP managed rule set. That's all the documentation I have.
  - JRahm
    Admin
    Jan 31, 2022
    URL for the product? Want to make sure we're looking at the same thing. Don't have much exposure to the aws waf f5 rules.
tboemker
Nimbostratus
Jan 31, 2022
https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi
- JRahm
  Admin
  Jan 31, 2022
  And you've setup the steps on pages 12-15 in the getting started guide: https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf?
  
  I'm asking around internally, will let you know what I find.
tboemker
Nimbostratus
Feb 01, 2022
As much as possible, yes. (The doc appears to have been written for an older version of the WAF Console.) I do not see request bodies in the logs, and Amazon Support said that they don't log request bodies.
JRahm
Admin
Feb 01, 2022
ok thanks for the info, I'll keep you posted.