Forum Discussion
5 Replies
- If you know the sig-ID you can pull the actual signature from the ASM database and see exactly why it matched.
- Lazar_92526Nimbostratus
I did, and when I did a view details, I got the following for detected keywords
wresult=0x20xlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">0x20xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-05-21T15:23:30.278Z - Depending on the signature it can be a keyword type or a regex type (you can see all the signature options here: http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_apx_attack_sig_syntax.html1005373) so it's certainly enough to say that if the signature was matched then a suspicious value was found. Having said that you need a full understanding of the application to say whether the particular match was a false positive or not. Usually the source of the attack gives you some clue, was this from an authenticated user? Can you find out who that user is and speak to them?
- Lazar_92526Nimbostratus
Chris,
This is coming from the default signature (see below) and not a customized one. Do the default sigs just trip on keywords?
Signature Properties
Name SQL-INJ "DROP SCHEMA" (Parameter)
ID 200002283
Signature Type Request
Apply to Parameter, XML, JSON, GWT
Attack Type SQL-Injection
Systems General Database IBM DB2 Microsoft SQL Server MySQL Oracle PostgreSQL Sybase/ASE
Accuracy High
Risk High
User-defined No
Revision 1
Last Updated 02/05/2013
Documentation View
References www.owasp.org/index.php/SQL_Injection www.webappsec.org/projects/threat/c...tion.shtml
- hooleylistCirrostratusHi Lazar,