Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Multiple violaions for File-upload behind ASM

Hello Folks,

I am experiencing quite weird behavior with F5 ASM on 11.6.0 HF6 with one of the customers. The issue is, ASM is detecting file uploading as a malicious traffic and triggering multiple different signatures.

Though I have created a file uploading parameter, which found from the HTTP REQUEST HEADER within "multipart/form-data". However it seems ineffective. Following is the complete HTTP REQUEST.

POST /epublicsector_ara/start.swe?SRN=KLyBkgFt7u1DMFqJX4yyLqXNbSyceuTBcqcSB4KzKcgb HTTP/1.1
 SWESession: TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b250cc5c5419ac4c3d1645b0be3eeda26635f3e94a2e94ba76915da8199f08ec69d177fcca8a8938559fa14b5b3940f9c495
 Content-Type: multipart/form-data; boundary=------------------------------1453093530
 Content-Length: 88852
 Connection: Keep-Alive
 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
 Host: 1gov.abudhabi.ae
 Cache-Control: no-cache
 Cookie: _sn=OQ0ZDiRGueyA88dyhdKGs6B4gHCYXPRHfrMe6zxEYnLS.JwbT1OMP8iVOAg1ZaB7IYpcyX4IlQQxNAOTGpU7yqT0StvTXa6ssmT1YcV3ZU9wrDSMvchu6DPcDAzDPFDGLkZhsJmNzJh.Rp23kIB.N84iEdgjsExDoNe5GryIJzDcJypyYJaZuAQnhFZAXqs4alaabrpoH4Y_; TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b2504813b2ac7dbc505636fef65aa62b48dadbd2f087624e744621fcb2297ee21aaf7d873a84e117fc409408d273ef1a6af2
 X-Forwarded-For: 10.113.0.25

 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEView"

 HLS Case Note View
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEApplet"

 HLS Case Attachment Applet
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWERowIds"

 SWERowId0=1-KUA4ND
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWECmd"

 InvokeMethod
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEMethod"

 NewFileAttachment
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWERPC"

 1
 ------------------------------1453093530
 Content-Disposition: form-data; name="s_SweFileName"; filename="C:%5cUsers%5cm.rashed%5cDesktop%5cNew%20folder%20(7)%5c%d8%a8%d9%82%d8%a7%d9%84%d8%a9.pdf"
 Content-Type: application/octet-stream

 %PDF-1.4
 1 0 obj
 <<
 /Creator (Oracle11gR1 AS Reports Services)
 /CreationDate (D:20151004082642)
 /ModDate (D:20151004082642)
 /Producer (Oracle PDF driver)
 /Title ()
 /Author (Oracle Reports)
 >>
 endobj
 5 0 obj
 <</Length 6 0 R
 /Filter [/ASCII85Decode /FlateDecode]
 >>
 ...
 .......

The File Uploading Parameter I have created is "s_SweFileName", also followed the below article which I thought will be useful in this scenario, but that didn't help.

https://devcentral.f5.com/articles/file-uploads-and-asm

Can anyone help me fine-tuning / understanding what needs to be done to avoid this false positive? It is tedious job to keep on ignoring all the signatures and also relaxing security to that level is not acceptable, right?

Looking for your help.

Thank you, Darshan

2
Rate this Question
Comments on this Question
Comment made 05-Apr-2017 by Tom Desmet 0

We are experiencing the same problem. Can somebody please have a look at this?

Thanks !

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Can anyone please reply to this thread?

0
Comments on this Answer
Comment made 24-Jan-2018 by draco 366

Hi

did you get this to work ?

0
Comment made 27-Jan-2018 by boneyard 5579

i would advise you to start a new question with your specific details, i have doubts you are running the same version and exact same website. so share your details, provide the violation information exact as shown and perhaps some can help here.

0