Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Analyzing F5 OWASP rule matches

tboemker
Nimbostratus
Nimbostratus

‎31-Jan-2022 11:55 - edited ‎31-Jan-2022 11:59

I am seeing lots of requests that match the following rules:
rule_XSS_script_tag__Parameter__AllQueryArguments_Body
rule_div_tag__behavior__Parameter__AllQueryArguments_Body
rule_chmod_execution_attempt__Parameter__AllQueryArguments_Body
rule_SQL_INJ_end_quote_UNION__Parameter__AllQueryArguments_Body

How can I determine why the requests are matching?

#F5 rules for AWS WAF

Labels:
0 Kudos
7 REPLIES 7

JRahm
Community Manager
Community Manager

‎31-Jan-2022 13:47

Do you have source documentation for what you're referencing? Any details will be helpful, I'll see if I can track this down for you internally.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

tboemker
Nimbostratus
Nimbostratus
In response to JRahm

‎31-Jan-2022 13:53

These rules are part of the F5 OWASP managed rule set. That's all the documentation I have.

0 Kudos

JRahm
Community Manager
Community Manager
In response to tboemker

‎31-Jan-2022 13:55

URL for the product? Want to make sure we're looking at the same thing. Don't have much exposure to the aws waf f5 rules.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

tboemker
Nimbostratus
Nimbostratus

‎31-Jan-2022 13:58

https://aws.amazon.com/marketplace/pp/prodview-ah3rqi2hcqzsi

0 Kudos

JRahm
Community Manager
Community Manager
In response to tboemker

‎31-Jan-2022 16:03 - edited ‎31-Jan-2022 16:08

And you've setup the steps on pages 12-15 in the getting started guide: https://pages.awscloud.com/rs/112-TZM-766/images/F5_OWASP_Getting%20Started%20Guide.pdf?

I'm asking around internally, will let you know what I find.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

tboemker
Nimbostratus
Nimbostratus

‎01-Feb-2022 07:25

As much as possible, yes. (The doc appears to have been written for an older version of the WAF Console.) I do not see request bodies in the logs, and Amazon Support said that they don't log request bodies.

0 Kudos

JRahm
Community Manager
Community Manager

‎01-Feb-2022 09:51

ok thanks for the info, I'll keep you posted.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos
Copyright © 2023 Khoros, LLC