Analyzing F5 OWASP rule matches

tboemker · ‎31-Jan-2022

I am seeing lots of requests that match the following rules:
rule_XSS_script_tag__Parameter__AllQueryArguments_Body
rule_div_tag__behavior__Parameter__AllQueryArguments_Body
rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body
rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body

How can I determine why the requests are matching?

#F5 rules for AWS WAF

JRahm · ‎31-Jan-2022

Do you have source documentation for what you're referencing? Any details will be helpful, I'll see if I can track this down for you internally.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

tboemker · ‎31-Jan-2022

These rules are part of the F5 OWASP managed rule set. That's all the documentation I have.

JRahm · ‎31-Jan-2022

URL for the product? Want to make sure we're looking at the same thing. Don't have much exposure to the aws waf f5 rules.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

tboemker · ‎31-Jan-2022

https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi

JRahm · ‎31-Jan-2022

And you've setup the steps on pages 12-15 in the getting started guide: https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf?

I'm asking around internally, will let you know what I find.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

tboemker · ‎01-Feb-2022

As much as possible, yes. (The doc appears to have been written for an older version of the WAF Console.) I do not see request bodies in the logs, and Amazon Support said that they don't log request bodies.

JRahm · ‎01-Feb-2022

ok thanks for the info, I'll keep you posted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

DevCentral

Analyzing F5 OWASP rule matches

Khoros Kudos Award 2022