Forum Discussion

gu3rr3ir0's avatar
gu3rr3ir0
Icon for Nimbostratus rankNimbostratus
Feb 05, 2020

F5 ASM learning new parameters while being in blocking mode.

Hi,

 

I have my ASM protecting many web applications. The problem is that some of the applications/websites, don´t have that much traffic, but some of the websites have a lot of Forms etc. Since the traffic is not to much, it didn´t learned all of the parameters of the website while it was on transparent mode, and even some of the parameters learned don´t have all the meta characters allowed.

 

Question 1:

If i disable the value meta character on the parameter itself, does it still block attacks like XSS, SQLi etc?

 

Question 2:

Is there a way to have my policies in block mode, but do not block new parameters that are added by developers as an example, and then accessed by users?

 

Question 3:

Do you guys keep the Wildcard * parameter in blocking state or leave it in staging ?

 

Question 4:

When policy is in automatic, i detected that if a parameter in the website that should allow alpha-numeric values, if it gets a lot of hits by users that just post numeric values ( lets say username) the policy change the parameter data type to integer itself, and after that if some user as a username that have letters in it, will get blocked. What is the better way to get over this. Manual (extensive work checking all the policies every day) or automatic ( some things stop working after some time so have to correct it mannually), or is there and alternative in the Learning and blocking settings that allow to loosen the policy keeping it secure and manageable?

1 Reply

  • Question 1: Yes. All parameters disallow meta characters by default. If you override those meta characters, then they are allowed--but attack signature are still applied to the parameter input value.

     

    Question 2: Yes. There are two ways to do this. One is to un-check the Block checkbox for the "Illegal Parameter" violation. In fact, that works with all violations, including "Illegal meta character in value" related to your first question. The ot her is to leave all parameters in staging during the learning process as developers add them.

     

    Question 3: Once the policy is mature, you can enforce the wildcard or remove it altogether.

     

    Question 4: One way would be to turn off blocking on the specific violation that is getting triggered until the learning period is over. Or go to the Learning and Blocking Settings page > Policy Building Process, and select the Advanced view. Under Policy Building Process, locate Loosen Policy and review the default rules. Also ensure you have "Track Site Changes" enabled, and review those rules and adjust accordingly. If you have a way to build the policy using trusted traffic then you can reduce the time required dramatically.