Block specific parameter value
Hello All, I am working on WAF policy where i need to allow any query paramter vlaue but block ones with sites or hostnames, example below. BLOCK : https://hostname/index.html?para1=https://example.com ALLOW: https://hostname/index.html?para1=name1.html I dont have the option to use static parameter type because of the nature of the web app, can someone share ideas or best approch ?Managing false positives in WAF policy
Situation overview: 1) a Wordpress server that has always been under heavy attack was recently moved behind a F5 WAF 2) the WAF is dropping malicious traffic (thank you F5!) 3) the WAF is also dropping legitimate POSTing of user content with several signatures (Server Side Code Injection, SQL-Injection, Cross Site Scripting (XSS)) 4) there is no QA/Test instance; there is no opportunity here for a controlled "learning/staging" process; the server is in production Example false positive: One user wants to embed videos on their site. The XSS signature is set off by script tags bracketing a URL pointing to the Vimeo player. The XSS signature fires off during the POSTing of this content to the site. WAF Suggestion: Suggested Action: Disable the matched signature on the matched Parameter Matched Parameter: * Matched Attack Signature: 200001475 - XSS script tag end (Parameter) (2) I could choose to click on 'Accept', but I am concerned that the use of a wildcard parameter means script tags will be accepted anywhere, rendering the XSS signature useless. Is that a correct interpetation? Solution?: I have whitelisted some known source IP addresses, but that will not satisfy a user base who wants to update content from anywhere at anytime. There are some Wordpress-specific cookies I can leverage. Looking at the WAF policy Cookie List, however, it appears its focus is to validate as allowed or denied. But that doesn't seem to tie a cookie to a signature. In other words, if you see these valid cookies, then bypass this signature. It looks like I have two options. One, write a custom signature to catch legit POSTs (regex search for specific cookies), and disable blocking for this signature. The other option would be an iRule, like this: if {HTTP::method is POST and HTTP::URI contains "someURI"} { if {cookie1="foo" and cookie2="bar"} { ASM::disable } } Thank you for taking the time to read this. I welcome any feedback.Block requests from web browser and only allow from clients application in ASM
Dear Community, I have a requirment to allow email application traffic initialated from email clinets i.e outlook, boxer only and block all traffic initiated from web browsers. Please inform how we can accomplish this using ASM. Best Regards
F5 blocking my webpage that works as monitor of Sites hosted behing F5
Hi Guys, we recently enable ASM module on F5 in evualtion/learning mode only and we have one website that is hosted behind the F5 lTM . Once the ASM module is activated my customer web site hosted in a different data center in Azure cannot get thought F5. this website acts as a web monitor and every 5 min it is monitoring the site hosted being the F5. I get a blank page which looks like this. My web monitor is doing HTTP web request and sometimes this happens. Ther is no disturbance of the site hosted in LTM pools. In my google Serach it relieves the problem might be in ASM module trying to block. Can you guys provide some pointer how to resolve this issue. <!DOCTYPE html> <html><head> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Expires" content="-1"/> <meta http-equiv="CacheControl" content="no-cache"/> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <link rel="shortcut icon" href="data:;base64,iVBORw0KGgo="/> <script> (function(){ window["bobcmn"] = "11111011101010200000002200000005200000000289895ae4200000096300000000300000000300000006/TSPD/300000008TSPD_101300000005https3000000b0081b93fe10ab20006f0e8f1c61960cb6df13226d973e4b69e019690083a6fd29acdda2b6f1b2f5dd0805bbb5290a280019bbf7f5e3c12d280528f7ff9915458e1d0c71804c667eac9e06aa4ea740e68a5b754f765c6ef008200000000200000000"; Regards Sunil
WAF generic detection signatures
Hi All, I found something strange with the signature setGeneric Detection Signatures (High/Medium Accuracy) assigned to the ASM policies. This signature sets claims to include the following systems. Systems:General Database,Various systems,System Independent,JavaScript However when I compare the total of signatures of each system in the attack signature list available on the system it does not match the total of the signatures assigned to the ASM policy. For example 2556 System Independent 1932 on ASM policy 24 Various systems same on ASM policy 708 general database 391 on ASM policy Strange thing that for example signature200022004 was assigned to the ASM policy but after live update of the signatures not anymore. Could someone clarify the content of the generic signature set and why arent all the signatures of sytem independent, various systems and general database included?
