Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Attack Signature Detected "Type="

bcarreker
Cirrus
Cirrus

‎23-Aug-2022 08:18

Hello,

I have some users that are receiving an F5 error page with a session ID. Looks like the WAF detected a false positive. I've included a screenshot of the violation. Has anyone come across this? I am unable to adjust the policy via Traffic Learning, so is it possible to manually make a change in the policy configuration? 

Also, is it strange that the F5 WAF is blocking traffic from this violation, eventhough "Blocking" isn't listed under the "Applied Blocking Settings" from the report?

Labels:
Preview file
30 KB
0 Kudos
3 REPLIES 3

Mohamed_Salah_
MVP
MVP

‎24-Aug-2022 08:14

Hello,

 

can you share the screenshotsyou are talking about? also, could you please share a screenshot from the policy builiding settings for this policy?

 

Thanks,

Mohamed Salah

0 Kudos

Mohamed_Salah_
MVP
MVP
In response to Mohamed_Salah_

‎24-Aug-2022 08:16

Hello,

 

Sorry, didn't notice the attached screenshot. this logs shows that this attack signature wasn't the reason for blocking as only learn and alarm are enabled for this.

So, please can show us the while request along with the policy building settings.

 

Thanks,

Mohamed Salah

0 Kudos

bcarreker
Cirrus
Cirrus

‎26-Aug-2022 08:55

I ended up finding the solution. 

Under "Security>Application Security>URLs>Allowed URLs>Allowed HTTP URLs", I added "type = application / script (Parameter) (2)" under the "Overriden Security Policy Settings"

 

This violation is no longer being triggered. 

Copyright © 2023 Khoros, LLC