Help
XC Users Forum
Open conversations with staff and peers about F5 Distributed Cloud Services.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Handle False Positive for files upload

Go to solution
AlsDevC
Altocumulus
Altocumulus

‎03-May-2023 02:38

Hi folks, 

I'm wondering how to handle uploading files through XC. For example, I have a URL used for uploading files to a web application, say /upload.

The files appear to be scanned by XC which detects and triggers many attack signatures. According to my tests they are all false positives. A concrete example of trigered signature:

Signature ID 200104770
name: JSP Expression Language Expression Injection (3) (Parameter)
attack_type: ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION
matching_info: Matched 62 characters on offset 1 against value: "'F${F=;_V>`chRm]8L{go4*tQ$hy8vNOb0Q3~!OzWOBG*wp?:zA>S[e=}!u1^s4_'."

The habit I had on ASM was to disable problematic signatures on this type of URL.

Is there a more relevant way to handle these cases on XC?

Many thanks.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Sudhir_Patamsetti
F5 Employee
F5 Employee
In response to AlsDevC

‎03-May-2023 08:28

Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

View solution in original post

6 REPLIES 6

Go to solution
Stephen_Archer
F5 Employee
F5 Employee

‎03-May-2023 03:50

Hi AlsDevC.

If you look at the Security Events in the Security Dashboard and find the event that you believe to be false-positive, then click the `...` in the `Actions` column:

Stephen_Archer_1-1683110738543.png

You have the option to `Create WAF Exclusion rule`.  This will take you to the 'WAF Exclusion Rules` section of the Load-Balancer configuration, and pre-populate the configuration for you, to disable the signature on the specific URL.  

Stephen_Archer_0-1683110687688.png

Hope that helps. 

 

0 Kudos

Go to solution
AlsDevC
Altocumulus
Altocumulus

‎03-May-2023 05:39

Stephen,

Thanks for your quick feedback. Maybe I'm expressing myself badly. I know how to put an exception but I was hoping for another method than putting an exception for each matched signature.

BR.

 

 

0 Kudos

Go to solution
Sudhir_Patamsetti
F5 Employee
F5 Employee
In response to AlsDevC

‎03-May-2023 06:56

Can you share the "state" of those signatures , for that security event? You should find that in the information section. Ideally, these signatures should be "autosuppressed" by the "automatic attack signatures tuning" capability

0 Kudos

Go to solution
AlsDevC
Altocumulus
Altocumulus

‎03-May-2023 08:19

I disabled "automatic attack signatures tuning" because we noticed that it lowered the level of protection against SQL Injection type attacks.
Am I to understand that this is not a good practice and that it is advisable to leave it enabled to limit the number of false positives?

0 Kudos

Go to solution
Sudhir_Patamsetti
F5 Employee
F5 Employee
In response to AlsDevC

‎03-May-2023 08:28

Yes, the reocmmendation is to leave it "enabled" ( the feature is enabled in the default policy ).

Regarding the comment "lowered the level of protection against SQL Injection type attacks" , could you please open a support ticket with the details ? We will review and make improvements as needed to the model

Go to solution
AlsDevC
Altocumulus
Altocumulus

‎04-May-2023 06:56

Hi Sudhir, I re-enable the option and my file ipload works correctly, i see the request is triggered by WAF but signatures are in Autosuppressed state. It answer my initial question, thanks. 
I'll open a case for SQL Injection are passing when I activate the feature. 

Thanks all. 

0 Kudos
Copyright © 2023 Khoros, LLC