cancel
Showing results for 
Search instead for 
Did you mean: 

F5 ASM appears not blocking filetypes in http query

Abed_AL-R
Cirrostratus
Cirrostratus

F5 v15.1.3.1

My F5 ASM policy is configured to block command executions and illegal file types

but for example if I try to browse this url:

https://my.web.site/netstat.exe 

Then ASM blocks the request

But if I try https://my.web.site/path?netstat.exe

It is not getting blocked

Any explanation?

 

7 REPLIES 7

Samir
Nacreous
Nacreous

Good question.. 

1. https://my.web.site/netstat.exe  ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request. 

 

thanks for the reply

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?

and how should I act on positional parameters to block these kind of request?

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

and how should I act on positional parameters to block these kind of request?

  1. Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
  2. Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
  3. Parameter Level: URL, URL Path: GET, Location: Query string,  Parameter Value Type: User-input values,  Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$ 

Hope it will work.

Hi

Thanks for your response

That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:

1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$

2)_ Create Attack Signature List
    Security  ››  Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
    Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy
    Security  ››  Application Security : Security Policies : Policies List  ››  <Policy_name>  >> Attack Signatures

 

Thank you so much for adding comments. can you please through some light on step 3

To be honest, I skiped step 3 🙂

Jefferson_Navar
F5 Employee
F5 Employee

In order to block the request, you can follow these steps:

1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
     Tool: https://regex101.com/

Jefferson_Navar_0-1649504907874.png

2)_ Create Attack Signature List.
     Security ›› Options : Application Security : Attack Signatures : Attack Signatures List

Jefferson_Navar_1-1649504957153.png

3)_ Create custom "Attack Signature Sets"
     Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets

Jefferson_Navar_2-1649505339252.png

4)_ Enforce the Signature in the policy

Jefferson_Navar_3-1649505675425.png

Jefferson_Navar_4-1649505981294.png

5)_ Test

Jefferson_Navar_5-1649506058253.png