Attack Signature False Positive Mode

Question

There is an option under learning and blocking settings for :

Note: If a signature false-positive is allowed this signature will not block the request.

so is this mean, the F5 will detect if it is false positive then will detect and allow ( based on my selection) and if it is real attack then it will be blocked? if yes then how the F5 say it's false positive or real attack.

Does this will minimize the false positive? it is recommended to activate it?

erik_novak · Accepted Answer

Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity.  Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.

erik_novak · Answer

In some cases, attack signatures may match benign input detected on requests for URLs,

parameter values, header values, etc. which result in false positive violations. To reduce the likelihood of this problem, you can configure false positive mode which creates similarity patterns that correspond to frequently detected traffic inputs. If it is discovered that an attack signature has matched input that corresponds to one of these frequent similarity patterns, this signature match is considered a false positive. This signature match will not block a request if no other blocking violations were detected.

the_blue · Answer

so is this mean the WAF will create the pattern of false positive ? based on what? and this will not affect the real attack attempts?

the_blue · Answer

Dear Erik, Clear, many thanks. Appreciate your support.

the_blue · Answer

Dear Erik,jut question, How long does it take to make sure of that? Also, what can I see if it's false positive  ? in event logs?&nbsp;

erik_novak · Answer

The system is designed to establish optimal baseline similarity after gathering data for about 12 hours. The data is recalculated at regular intervals during that 12 hour period and continually updated. You won't see anything regarding false positives in the event log. However, there is a tmstat table called "asm_similarity_pattern" that can be used (for debugging only.) You will need to define the maximum number of rows the table will have by adding an internal parameter:

/usr/share/ts/bin/add_del_internal add similarity_pattern_max_tmstat_rows 100

Restart the ASM service (tmsh bigstart restart asm)

Send some traffic and the review the table:

tmctl asm_similarity_pattern

Forum Discussion

Attack Signature False Positive Mode

6 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

Default Attack Signature Sets