Attack signature relaxation at JSON profile level rather than whole policy level on F5 v17.x
there is one false positive attack signature I want to relax on the F5 policy. the attack says onload(parameter) and I dont want it to relax it at the whole policy level under policy attack signature disable. but I don't know how to relax it at the json profile level. I can see the option attack signature available at the json profile level but not sure how to relax it as compared to relaxing at the whole policy level. please help !
Attack Signature Performance
Hi, Currenty I'm using [Change signature propertiesGeneric Detection Signatures (High/Medium Accuracy)] I want to enable all signature set so I can use all attack signatures. If I enable all of them will there be any performance problems or can I safely enable it? Thanks.
relation between CVE numbers and F5 ASM attack signatures
I was wondering if there is a way to check if certain CVEs are covered by an ASM attack signature? For example for shellshock when you click on the attack signature in the F5 ASM you can see the CVE numbers. so the information is in the database but can this be easily searched somehow? so is there a way to search for a CVE number and get the related F5 ASM attack signatures somehow?
How do you create an Attack Signature exception for one URL in a policy?
There is a SQL Injection signature that is throwing a false positive for one of the URLs in our policy. This is a high threat signature so we still want it to be in blocking, but want one URL to be exempt from it. I know that you can add URLs to the white list, but as far as I know that would white lists all traffic from them, not just one signature. Any suggestions? Thanks!Attack signature updates.
can anyone confirm best practices for Attack Signature updates? I would like to know if when working with a production environment if it would be safer to implement in the below stated layout as opposed to just importing it in to production. the retailer that I am doing this work for has fears that it may block traffic after the signature update. does anyone have insight into this? •Export Attack Signature Policy from production •Import production Attack Signature Policy into TEST environment •Update Attack Signatures in TEST •Clear Traffic Learnings in TEST •Evaluate and Modify Attack Signatures if site functionality is impaired (Disablement method based on severity of attack signature type) •Export Attack Signature Policy from TEST •Update Attack Signatures in PROD •Import TEST Attack Signature Policy into PROD This seems to be the least riskiest way to do this, though in my opinion with the updates being so frequent I cant see this being rational in order to maintain the updates every six weeks.
Question on Assigned Signature Set for security policies
Dear All, May I please ask you a question on WAF which I’m deploying in learning mode for my Customer. I have configured the security policies with Signature Staging enabled but I see that BLOCK option has been checked for each of the assigned signature set as highlighted, As per my understanding I cannot edit the BLOCK option because it’s been disabled and it will not block the traffic although it shows as checked. Can you please confirm if my understanding is correct as I want to attach these policies to virtual servers in question. Br, MSKWhich attack signature sets does contain others?
My application is running on Apache Tomcat and there is one signature set with such name. Of course, I enabled it. The question is should I also enable sets referred to e.g. Apache, Java Servlets? Or maybe required signatures are containing in Apache Tomcat set already?
