Forum Discussion

Jirka_Placatka_'s avatar
Jirka_Placatka_
Icon for Nimbostratus rankNimbostratus
May 12, 2017

Disable ASM signature for all cookie parameters

Hello

 

How can I disable a signature for all cookies only? Example - I have a cookie:

 

Cookie: .AspNet.ApplicationCookie1 = XGtw4WmA3N_wmXLWU22Y8m1K; .AspNet.ApplicationCookie2 = XXIPqExECpMDvp4KrXsTXMS_9asdf; .... other cookies

 

Names of cookies are changed, the string is a random text from ASP NET. It is false positive.

 

SQL-INJ Stored procedure "exec MS_" (Parameter) 200002275 Context: Cookie Detected Keywords: MS_, ExEC

 

My settings

 

If the exact parameter name is specified in the cookie and the signature is blocked then the query is enabled. This is OK.

 

But if I use * for any name then the query is Blocked.

 

 

How can I disable only listed signatures for all cookie parameters? Can I use * wildcard character?

 

Thank you for your help.

 

3 Replies

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account

    The wildcard should work. Are you getting false positives after setting the wildcard? What is the violation that is being triggered by ASM?

     

  • Yes there are exceptions - Are high in the text:

     

    SQL-INJ Stored procedure "exec MS_" (Parameter) 200002275

     

    Context: Cookie

     

    Detected Keywords: MS_, ExEC

     

    Only if the exact parameter name in cookie is specified the no exception is detected.

     

    What could be the cause? Any system settings?

     

  • This potentially looks like an ASM bug to me - which version of BIG-IP are you using?

     

    I suggest you first try to create a bit more specific wildcard cookie like this: .AspNet.App* and try to disable the signature on it - if you are still getting SQLInjection false positives - raise a support case with F5 by emailing support@