Turn off Specific ASM Signatures for a Cookie
Running 12.1.x and am trying to figure out how to turn off specific signatures from firing for values of a specific cookie. The cookie in question is placed by third party performance monitoring software and often times what is put in those cookies contains information about the URLs or other objects on the page, causing a variety of path traversal and XSS signatures to go off. This cookie can be placed under various circumstances for various URLs and gets sent on a variety of requests (form data, JSON, multi-part, etc) always with the same name. It does not appear on every request. I tried setting up the cookie name as a parameter and turning off the signatures that way but that of course doesn't work since its not really a posted or URL parameter. I'm not going to disable this wide swath of signatures for the entire site, so that's not an option. I saw previous DevCentral responses for 11.x stating that you could use Content Profiles. I set up a JSON profile and associated it with the * URL to be turned on when the cookie is present and confirmed that this will stop those signatures from firing. However this doesn't really work since the requests with that cookie can be any type of content in the post and I can't set a profile for normal post data, additionally this turns it off for all fields instead of just for the cookie. I'd also like to avoid using LTM policy to switch ASM policies based on the cookie presence and have to manage multiple policies for something seemingly this simple. Is there any official non-kludgy way of turning off specific ASM attack signatures for a specific cookie?
Identifying ASM signatures affecting responses?
Env: LTM 11.5.2 with ASM We have a security profile which appears to be affecting responses for a small set of requests, without reporting any error or block in the ASM event log. This is a REST call that accespts JSON input data, retreieves data from a database, and returns the data results as JSON. When we run the query for a userid that returns a small result, there is no issue. But when we use a different userid that has more data, the client never receives the response (not a single byte gets returned, at the network level). Nevertheless, the response appears in the ASM event log (though at the top of the response content display it says "Response was truncated"), and I see content displayed, as if it had been sent back. The size of the response that has an issue isn't huge (about 15K). We have only one entry in our Parameter List for this policy, "*" of type User-input value. We turned off both Value and Name meta-characters checks, just in case, with no effect. However, when we turn off signature checks for the parameter, the problem goes away. So, our assumption is that some signature is processing the response, and freezing, or some other way affecting the stream going back to the client, such that bytes never get sent. But it's happening with no indication in the ASM event log. How can we identify what signature is the culprit? Is there a way to search just the signatures that parse responses, vs. request data? (the Advanced filter lumps Request/Response together). Is there any advanced ASM signature processing logging that we can turn on, anything like that? And any other thoughts on what the cause might be would be appreciated. I don't think it's size related, as the max_html setting in advanced. I thought maybe chunking, but Transfer-Encoding: chunked is appearing in both working and non-working responses. Hmm ....
Logging and identify the violations from staged signatures
I am trying to fix a signature update issue for ASM v12.1.0 here. Signatures are not updated from some time. I wanted to do this in a phase manner now. 1) Enabling signature staging for the policy, enable signature staging for updated/new signatures 2) Run a manual update 3) Get through the Enforcement Readiness period of 7 days 4) Check for any violations for staged signatures and enforce the new/updated signatures respectively. Regx point 4, will need some guidance on checking for any violation for staged signatures. We are sending logs to splunk and how do i identify from the log data, if the alert was on a staged signature. Pasting some log snippets below. 30/08/2018 11:07:54.000 Aug 30 11:07:54 xxxx.net.au ASM: f5_asm=Splunk-F5-ASM,attack_type="",date_time="2018-08-30 11:07:54",dest_ip=x.x.x.x,dest_port=xxxx,geo_info="US",http_class="/Common/VS_Test",ip_addr_intelli="N/A",ip_client=x.x.x.x,ip_route_domain="x.x.x.x%0",is_trunct=truncated,manage_ip_addr=x.x.x.x,method="POST",policy_apply_date="2018-05-31 10:08:09",policy_name="/Common/VS_Test",protocol="HTTP",query_str="",req_status="passed",resp_code="200",route_domain="0",session_id="4353fdsad4dd",severity="Informational",sig_ids="",sig_names="",src_port="27603",sub_violates="",support_id="17873574374868071705",unit_host="xxxxxxxxxxxxxxxx",uri="/abc/xyz",username="N/A",violate_details="44f3d1e143060702-000000000000000044f3d1e143060702-000000000000000044f3d1e143262702-0000000000000000000040c100240000-0000000000000000
