23-Mar-2022 03:25 - edited 23-Mar-2022 03:26
F5 v15.1.3.1
My F5 ASM policy is configured to block command executions and illegal file types
but for example if I try to browse this url:
https://my.web.site/netstat.exe
Then ASM blocks the request
But if I try https://my.web.site/path?netstat.exe
It is not getting blocked
Any explanation?
23-Mar-2022 04:13
Good question..
1. https://my.web.site/netstat.exe ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request.
23-Mar-2022 04:49
thanks for the reply
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?
and how should I act on positional parameters to block these kind of request?
23-Mar-2022 07:15
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.
and how should I act on positional parameters to block these kind of request?
Hope it will work.
30-Mar-2022 23:24
Hi
Thanks for your response
That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:
1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
2)_ Create Attack Signature List
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List
3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets
4)_ Enforce the Signature in the policy
Security ›› Application Security : Security Policies : Policies List ›› <Policy_name> >> Attack Signatures
31-Mar-2022 00:14
Thank you so much for adding comments. can you please through some light on step 3
01-Apr-2022 07:48
To be honest, I skiped step 3 🙂
09-Apr-2022 05:07
In order to block the request, you can follow these steps:
1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
Tool: https://regex101.com/
2)_ Create Attack Signature List.
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List
3)_ Create custom "Attack Signature Sets"
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets
4)_ Enforce the Signature in the policy
5)_ Test