CirrostratusHi i want to know if enabling all "cross site scripting" signatures for exchange can cause false positive alerts/blocks? I want to enable it but afraid of too many false positive blocks. Exchange published via default ASM templates gives a hard time with json blocks for owa and i am afraid of similar thing with cross site scripting. need your valuable feedback.
CirrostratusASA Nuruddin,
My suggestion is to add the "Cross Site Scripting" Signatures and keep only "Learn" and "Alarm" checked. So you have to unchecked the "Block" action.
Keep this configuration 2 weeks for example and after that verify from the "Event Logs" if you got to much incidents. In this case you can fine tune your policy.
N.B: If the VS is exposed on the internet be sure to identify the authorized traffic and not accept malicious traffic.
Hope it helps
Regards
NimbostratusCan you specify what are those "default ASM templates" you have tried? The template policy you pick must match your application version. Config of a particular policy may work with one software version but not the other. Maybe this could be your problem? Also make sure you have updated to latest revision of ASM Attack Detection Signatures. ASM policy templates provided by F5 for popular applications like Exchange are generally vetted properly and should work out of box.