Forum Discussion
Samir
MVP
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.
and how should I act on positional parameters to block these kind of request?
- Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
- Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
- Parameter Level: URL, URL Path: GET, Location: Query string, Parameter Value Type: User-input values, Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$
Hope it will work.
Abed_AL-R
Mar 31, 2022Cirrostratus
Hi
Thanks for your response
That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:
1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
2)_ Create Attack Signature List
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List
3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets
4)_ Enforce the Signature in the policy
Security ›› Application Security : Security Policies : Policies List ›› <Policy_name> >> Attack Signatures