CirrostratusF5 v15.1.3.1
My F5 ASM policy is configured to block command executions and illegal file types
but for example if I try to browse this url:
https://my.web.site/netstat.exe
Then ASM blocks the request
But if I try https://my.web.site/path?netstat.exe
It is not getting blocked
Any explanation?
MVPGood question..
1. https://my.web.site/netstat.exe ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request.
Cirrostratusthanks for the reply
do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?
and how should I act on positional parameters to block these kind of request?
MVPdo you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.
and how should I act on positional parameters to block these kind of request?
Hope it will work.
EmployeeIn order to block the request, you can follow these steps:
1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
Tool: https://regex101.com/
2)_ Create Attack Signature List.
Security ›› Options : Application Security : Attack Signatures : Attack Signatures List
3)_ Create custom "Attack Signature Sets"
Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets
4)_ Enforce the Signature in the policy
5)_ Test