.well-known/assetlinks.json violation in ASM

MohammedHashayka · ‎04-Jul-2022

Dears,

I repeatedly fin .well-known/assetlinks.json violation on my ASM logs:

* illegal file type

* illegal URL length

* illegal Request length

URL/Request length bot set to 0, and this request is auto generated from our sites, can I have the best action to prevent this false positive from appearing in logs as violation, without affect other security sides like I can't allow json files to be available for users.

Regards;

LiefZimmerman · ‎08-Jul-2022

@MohammedHashayka - I see there is no response yet to your query. Have you found a solution or had any help here in the community or from F5 Support?

If not, I will see if I can find someone.

Nikoolayy1 · ‎12-Jul-2022

Maybe see an article I made long ago as you can turn off a particular violation that comes from the source IP addresses of your bots with an irules:

https://community.f5.com/t5/technical-forum/knowledge-sharing-f5-asm-advanced-waf-options-for-granua...

Also look at the json profile options but they are more for bypassing signatures but you may check if the URL is having an assigned JSON profile as well-known/assetlinks.json means that the data should be JSON so it may need to be set for a more better match:

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/adding-json-support-to-an-exis...

See here for how to match the source ip and then stop the violation for that URL:

https://community.f5.com/t5/technical-forum/whitelisting-inboud-subnet-range-in-f5-using-irule/td-p/...

DevCentral

.well-known/assetlinks.json violation in ASM

Khoros Kudos Award 2022