Forum Discussion

draco_184361's avatar
draco_184361
Icon for Nimbostratus rankNimbostratus
Feb 21, 2016

F5 ASM attack signature detection

the asm is detecting an sql injection and you can see in the below image when I when to check the detail of the violation, we can see that its a color code that's being rejected. Do you think that's an error? How do you just allow that particular color code for that virtual server ?

 

 

I am new to ASM, in the below image its showing http illegal response ie 500 code.but there is no option to learn it. The question is when we see a violation and violation on staged entities , is the connection getting rejected because of the http violation or the attack signature violation in the staged entity??

 

 

application delivery
ASM Advanced WAF
attacksignature
BIG-IP
security

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 21, 2016

    Staged items will not cause a block, so the block is done to the HTTP response code. You can't learn these but you can add them to the policy on the main settings page of the policy. It depends whether you want to allow users to see the 500 error displayed, if not then stay as you are and they'll see an ASM block page instead.

     

    As for allowing the colour item, you can create a global parameter, as found above, and allow the attack signature on this parameter.

     

    The Traffic Learning section should offer to do this policy change for you, rather than manually.

     

    Hope this helps,

     

    N

     

  • nolipineda's avatar
    nolipineda
    Icon for Altostratus rankAltostratus
    Feb 21, 2016
    Hi, From your screen captures, illegal response code was the reason for the blocked request. The allowed responses can be configured in the policy. In addition, the response code is Informational only. Not sure what your reasons are for blocking informational events.