cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Attack Signature False Positive Mode

THE_BLUE
Cirrus
Cirrus

There is an option under learning and blocking settings for :

Attack Signature False Positive Mode  

Note: If a signature false-positive is allowed this signature will not block the request.

 

so is this mean, the F5 will detect if it is false positive then will detect and allow ( based on my selection) and if it is real attack then it will be blocked? if yes then how the F5 say it's false positive or real attack.

 

Does this will minimize the false positive? it is recommended to activate it?

1 ACCEPTED SOLUTION

Erik_Novak
F5 Employee
F5 Employee

Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.

View solution in original post

6 REPLIES 6

Erik_Novak
F5 Employee
F5 Employee

In some cases, attack signatures may match benign input detected on requests for URLs, 

parameter values, header values, etc. which result in false positive violations. To reduce the likelihood of this problem, you can configure false positive mode which creates similarity patterns that correspond to frequently detected traffic inputs. If it is discovered that an attack signature has matched input that corresponds to one of these frequent similarity patterns, this signature match is considered a false positive. This signature match will not block a request if no other blocking violations were detected.

so is this mean the WAF will create the pattern of false positive ? based on what? and this will not affect the real attack attempts?

Erik_Novak
F5 Employee
F5 Employee

Yes, it means F5 Advanced WAF will create the pattern and detect false positive attack signature violations based on traffic similarity. Numerous common requests are most likely benign. Requests similar to the majority of requests are most likely benign. When you enable "Potential False Positive Detection" the system will automatically develop multiple request similarity tests, and requests which pass the tests are considered safe. Real attack attempts almost always contain outliers such as strings or meta characters which are dissimilar to most traffic. These are detected and blocked if the signature is enforced. There's a lot of math going on behind the scenes.

Dear Erik,

Clear, many thanks. Appreciate your support.

Dear Erik,

jut question, How long does it take to make sure of that? Also, what can I see if it's false positive ? in event logs?

 

Erik_Novak
F5 Employee
F5 Employee

The system is designed to establish optimal baseline similarity after gathering data for about 12 hours. The data is recalculated at regular intervals during that 12 hour period and continually updated. You won't see anything regarding false positives in the event log. However, there is a tmstat table called "asm_similarity_pattern" that can be used (for debugging only.) You will need to define the maximum number of rows the table will have by adding an internal parameter:

 

/usr/share/ts/bin/add_del_internal add similarity_pattern_max_tmstat_rows 100

 

Restart the ASM service (tmsh bigstart restart asm)

 

Send some traffic and the review the table:

 

tmctl asm_similarity_pattern