mwitt_65218
May 26, 2009Nimbostratus
1) F5 creating Global parameter when I have already Object parameter 2) Illegal Request and Object Lengths
Greetings,
I had created the parameter called username and made it an object parameter with Object Path HTTPS and /https://secure.stinson.com/bds/Loginsubmit.do. I allowed the Meta Character @ for that parameter and disabled the Attack Signature SQL-INJ ROOT@ for that parameter so that the user jroot@morrison.com could enter his email address as username. I had created the object for that page, an object with Basic Object Properties and Protocol HTTPS. The Object Name is Explicit and has /https://secure.stinson.com/bds/Loginsubmit.do.
During the weekend jroot@morrison.com logged in. I see in Reports this morning the error. The Request Violation is Illegal Meta Character In Parameter Value and it says IN STAGING for Learn, Alarm, and Block. The Requested Object of the error is [HTTPS]/bds/LoginSubmit.do. The Parameter Name=Value reads username=jroot@morrison.com, the Parameter Violations reads Illegal Meta Character In Parameter Value, and the Parameter Level reads Global Parameter. The Signature Name is SQL-INJ ROOT@ and the Value is jroot@morrison.com.
So it seems that F5 created a GLOBAL username parameter when I had already an object parameter for this page. Why did F5 create this username global parameter when I had already the username object parameter? Should I delete the username global parameter that it seems was created by F5, and if so will F5 create in the future in the same fashion? Or should I allow the particular Meta Character and disable the particular Attack Sig for this global parameter that it seems F5 created? Or should I just click ACCEPT on the log/error for this GLOBAL username parameter that F5 must have created of its own accord?
Also, I have been clicking ACCEPT for bunches of logs in Reports section that concern Illegal Request Length and Illegal Object Length. The Block is not checked though and only Learn and Alarm are checked. It would seem that blocking would occur if and when I were to check Block. The director of network security does not want me to change the allowable length globally. He says to allow White List the specific message/url showing up in the report as acceptable. I have clicked ACCEPT on these logs as they occur, but new logs with Illegal Request Length and Illegal Object Length keep occurring. Is clicking on ACCEPT in the logs a way to allow White List the specific message/url showing up as acceptable? If so, why do new logs arise with the same type of Illegal Request and Object Lengths?
Thanks much in advance!
mwitt