Forum Discussion

SIEM_281457's avatar
SIEM_281457
Icon for Nimbostratus rankNimbostratus
Jul 26, 2016

Illegal meta character in value

How to fine tune the "Illegal meta character in value" However the device custom string is "filenetservice" and in some cases its Exchange asm policy. please suggest me how to finetune this alert.

 

application delivery
ASM Advanced WAF

8 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Jul 26, 2016

    Security -> Application Security -> Parameters -> Character Set -> Parameter Value -> Select "meta characters only" -> Disallow/Allow individual meta characters as needed

    To find out which meta characters are causing the violations, you must check your ASM request/blocking logs.

    • SIEM_281457's avatar
      SIEM_281457
      Icon for Nimbostratus rankNimbostratus
      Jul 26, 2016

      I dont have access to the F5 device as the appliance is manage by the other team.I am investigating on SIEM solution.and observing these alert for the traffic relay from ASM to exchange server. for one of the policy “/Common/Exchange_asm_policy”

       

      Kindly let me know what possible information i need to gather from concern team.

       

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Jul 26, 2016

      Provide them the full request log for an investigation. They can pick the solution they prefer themselves. One option is to allow the conflicting meta-character to exist in parameter value. This solution is applicable if they conclude there's no chance the request could be malicious.

       

    • SIEM_281457's avatar
      SIEM_281457
      Icon for Nimbostratus rankNimbostratus
      Jul 26, 2016

      Thanks Hannes Rapp for your valuable information and support.

       

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jul 26, 2016

    Security -> Application Security -> Parameters -> Character Set -> Parameter Value -> Select "meta characters only" -> Disallow/Allow individual meta characters as needed

    To find out which meta characters are causing the violations, you must check your ASM request/blocking logs.

    • SIEM_281457's avatar
      SIEM_281457
      Icon for Nimbostratus rankNimbostratus
      Jul 26, 2016

      I dont have access to the F5 device as the appliance is manage by the other team.I am investigating on SIEM solution.and observing these alert for the traffic relay from ASM to exchange server. for one of the policy “/Common/Exchange_asm_policy”

       

      Kindly let me know what possible information i need to gather from concern team.

       

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Jul 26, 2016

      Provide them the full request log for an investigation. They can pick the solution they prefer themselves. One option is to allow the conflicting meta-character to exist in parameter value. This solution is applicable if they conclude there's no chance the request could be malicious.

       

    • SIEM_281457's avatar
      SIEM_281457
      Icon for Nimbostratus rankNimbostratus
      Jul 26, 2016

      Thanks Hannes Rapp for your valuable information and support.