Hi Don,
ASM uses a few different normalization techniques. I believe ASM normalizes the URI before checking to see if there is an object defined or a matching attack signature. I'm fairly sure that the object-specific attack signatures are not applied if the specific object is defined as an explicit object.
If you want to block access to /webconsole, you can configure an attack signature for
uricontent: "/webconsole"; objonly; nocase;, add the signature to a signature set and then add the signature set to the policy.
I couldn't find details on the normalization in a solution or the ASM config guide, so I just copied it from the 9.4.6 online help:
Directory traversals
Indicates that the system clears self references and performs directory traversals so that attackers cannot try to access restricted Web server files residing outside of the Web server’s root directory. For example, the system turns a/b/../c to a/c and a/./b to a/b. The system performs this action on URI input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system performs the normalization process only, without logging or blocking.
Multiple decoding decoding passes
Indicates that the system performs multiple decoding. For example, the system can turn a%252fb to a/b (since %252f becomes %2f after one pass, and / after the second pass). The system performs this action on URI and parameter input. Select a number to specify how many decoding passes the system performs, and the level at which the system responds with the appropriate Alarm or Block action. For example, if you set this to 3, the system performs two decoding passes, and when it performs the third decoding pass, it takes the action specified by the Learn/Alarm/Block settings of the Evasion Technique Detected category on the Blocking Policy screen.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system performs the normalization process only, without logging or blocking.
%u decoding
Indicates that the system performs %u decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system performs the normalization process only, without logging or blocking.
IIS backslashes
Indicates that the system turns backslashes (\) into slashes (/). The system performs this action on URI input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system performs the normalization process only, without logging or blocking.
IIS Unicode codepoints
Indicates that, when XXXX is greater than 0x00FF, the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system performs the normalization process only, without logging or blocking.
Bare byte decoding
Indicates that the system discovers characters higher than ASCII-127. This violation applies to URI input, however, for this violation the system does not change the input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system does not take any logging or blocking action.
Apache whitespace
Indicates that the system discovers the bytes 0x09, 0x0b, or 0x0c (a non-RFC standard of using tab for a space delimiter). The violation applies to URI input, however, for this violation the system does not change the input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system does not take any logging or blocking action.
Bad unescape
Indicates that the system discovers illegal URL-encoding. For example, if the two bytes after % are not hexadecimal characters, or if the four bytes after %u are not a hexadecimal characters. This violation applies to URI and parameter input, however, for this violation the system does not change the input.
* Specifies, when checked (enabled), that the system takes logging or blocking action according to settings on the Blocking Policy screen. This is the default.
* Specifies, when cleared (disabled), that the system does not take any logging or blocking action.
Aaron
Nimbostratus
