Question about WAF Enforced with has suggestion Signature
Hello, everyone I have a question about the WAF signature. Recently, I blocked the Ready to be enforced signatures. A few days later, Some of these signatures are in an enforced state, and they have entered a has-suggestion state.(About 30 of them) What is the state of being in an enforced state and at the same time has suggestion? And some of the enforced&has-suggestion signatures are unblocked and there are also staged logs. It's in enforced mode, is this a possible situation? F5 WAF engineer with similar experience, please help me. Thank you very much.
Custom Signature in ASM
I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something. So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/ The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly; I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature. What am I missing? Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting. when HTTP_REQUEST { set uriclass "MalURI[URI::basename [virtual name]]" Check that URI is sanitised set luri [string tolower [HTTP::uri]] if { [class match $luri contains $uriclass] } { HTTP::respond 200 content "Company Name\Naughty Naughty" log local0. "URI is $luri" } }
Custom Signature in ASM
I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something. So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/ The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly; I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature. What am I missing? Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting. when HTTP_REQUEST { set uriclass "MalURI[URI::basename [virtual name]]" Check that URI is sanitised set luri [string tolower [HTTP::uri]] if { [class match $luri contains $uriclass] } { HTTP::respond 200 content "Company Name\Naughty Naughty" log local0. "URI is $luri" } }F5 platform EoSD and Software EoSD is different. Which one need to use?
Hi We use F5 2000s with version 15.1.x From platform EoSD, It's already expired but from software EoSD. it's still available question is Which one should I use? If i use WAF and I believe attack signature will release if EoSD is still available...... question is right now will my attack signature still update? 2 what is different?
I create Attack signature and still in staging although I change it to blocking
Hi I have create attack signature which block the request if it is containing some words. the status of my signature is : Staging: No Learn: Yes Alarm: Yes Block: Yes Enabled: Yes What i dont understand is : when i try to access the blocked link i still can access it And when i go to : Security > Event Logs > Application > Requests F5 see it as an attack but in the status of "Applied Blocking Settings" is still Staged? The Enforcement Mode of my policy is : BlockingSignature updates while using a Checkpoint firewall
I want to set up the autoupdate for the signatures. What I want to know is how to configure this using a Checkpoint firewall? Is there a small range of IP address that we can put into the f/w to allow it to resolve to the update site? At the moment our Chekcpoint F.w isnt allowing us access due to the changing IP addresses TIA
ASM Signature Blocking, but not Enabled?
So I get a user ticket that says the user was blocked on the Application dir Access (\manage) signature. When I go to disable this attack signature on the parameter, it's not listed in the Global Security Policy Settings....So after some investigation I went to Manual Traffic Learning and found this signature listed, but not enforced yet... So my question is how did this user get blocked on a signature that hadn't been enforced or enabled yet? Granted the Policy itself is in Blocking Mode....??? Another Question is why did this signature not appear in the Global Security Policy Settings..??
