Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 ASM appears not blocking filetypes in http query

Abed_AL-R
Cirrostratus
Cirrostratus

‎23-Mar-2022 03:25 - edited ‎23-Mar-2022 03:26

F5 v15.1.3.1

My F5 ASM policy is configured to block command executions and illegal file types

but for example if I try to browse this url:

https://my.web.site/netstat.exe 

Then ASM blocks the request

But if I try https://my.web.site/path?netstat.exe

It is not getting blocked

Any explanation?

 

Labels:
0 Kudos
7 REPLIES 7

Samir
MVP
MVP

‎23-Mar-2022 04:13

Good question.. 

1. https://my.web.site/netstat.exe  ==> here netstat.exe comes as file type and ASM is quickly blocking it as you have selected "Illegal file type" blocked during policy creations.
2. https://my.web.site/path?netstat.exe ==> here URI is "path?netstat.exe" & you have not asked ASM to blocked it and hence request is allowed. You need to act on positional parameters to block these kind of request. 

 

0 Kudos

Abed_AL-R
Cirrostratus
Cirrostratus
In response to Samir

‎23-Mar-2022 04:49

thanks for the reply

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?

and how should I act on positional parameters to block these kind of request?

0 Kudos

Samir
MVP
MVP
In response to Abed_AL-R

‎23-Mar-2022 07:15

do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

and how should I act on positional parameters to block these kind of request?

  1. Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
  2. Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
  3. Parameter Level: URL, URL Path: GET, Location: Query string,  Parameter Value Type: User-input values,  Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$ 

Hope it will work.

0 Kudos

Abed_AL-R
Cirrostratus
Cirrostratus
In response to Samir

‎30-Mar-2022 23:24

Hi

Thanks for your response

That actually did not work. We opened a case to F5 TAC and they provided this solution and it worked. Here I'm sharing their solution:

1)_ Use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$

2)_ Create Attack Signature List
    Security  ››  Options : Application Security : Attack Signatures : Attack Signatures List

3)_ Create a custom "Attack Signature Sets" or add to existing Set the new signature.
    Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets

4)_ Enforce the Signature in the policy
    Security  ››  Application Security : Security Policies : Policies List  ››  <Policy_name>  >> Attack Signatures

 

Samir
MVP
MVP
In response to Abed_AL-R

‎31-Mar-2022 00:14

Thank you so much for adding comments. can you please through some light on step 3

0 Kudos

Abed_AL-R
Cirrostratus
Cirrostratus
In response to Samir

‎01-Apr-2022 07:48

To be honest, I skiped step 3 🙂

0 Kudos

Jefferson_Navar
F5 Employee
F5 Employee

‎09-Apr-2022 05:07

In order to block the request, you can follow these steps:

1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
     Tool: https://regex101.com/

Jefferson_Navar_0-1649504907874.png

2)_ Create Attack Signature List.
     Security ›› Options : Application Security : Attack Signatures : Attack Signatures List

Jefferson_Navar_1-1649504957153.png

3)_ Create custom "Attack Signature Sets"
     Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets

Jefferson_Navar_2-1649505339252.png

4)_ Enforce the Signature in the policy

Jefferson_Navar_3-1649505675425.png

Jefferson_Navar_4-1649505981294.png

5)_ Test

Jefferson_Navar_5-1649506058253.png

 

0 Kudos
Copyright © 2023 Khoros, LLC