Forum Discussion

EdgardoDeGracia's avatar
EdgardoDeGracia
Icon for Nimbostratus rankNimbostratus
Apr 10, 2019

F5 Web Application CVE Signatures For AWS WAF - FALSE POSITIVE

I am using AWS and implemented the “F5 Web Application CVE Signatures For AWS WAF” manage rule from AWS marketplace.

 

I am copying the sample request that is false positive from the AWS WAF console.

 

201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:49:50 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2678 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34464&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1

 

201.218.201.171 /course/modedit.php F5 Web Application CVE Signatures For AWS WAF Block 14:50:46 Client information: Source IP: 201.218.201.171 Country: PA Rule within rule group: 659aaaee-c124-460c-a775-22927af70a2f Request line: Method: POST URI: /course/modedit.php Request headers: Host: cursos.campusvirtualsp.org Content-Length: 2689 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 accept-language: es,en-US;q=0.7,en;q=0.3 accept-encoding: gzip, deflate, br referer: https://cursos.campusvirtualsp.org/course/modedit.php?update=34480&return=1 content-type: application/x-www-form-urlencoded upgrade-insecure-requests: 1 cookie: TinyMCE_toggle=id_config_text%3D0; _ga=GA1.2.1480395476.1554154100; _gid=GA1.2.2045071368.1554154100; SSESS03d1962463878d637285620850f8c2c7=7F0Y5UmL3_e2dNRJylnLULV1W1s0c7HQUBYJjTFZuG4; MoodleSession=3pghhd5stbsjo3sqh38grunal1; _gat=1

 

The rule block me when I tried to update a course configuration in Moodle. Bellow, I am sharing a web form where the rule is blocking.

 

 

cloud
F5 Rules for AWS WAF

4 Replies

Sort By
  • EdgardoDeGraci1's avatar
    EdgardoDeGraci1
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2019

    There is no solution to this false positive? Is not possible to update a simple quiz activity in Moodle thanks to this AWS rule?

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Apr 23, 2019

      i would contact F5 support about it if you can.

       

      im not very familiar with ASM in AWS, you can't disable that one signature?

       

    • EdgardoDeGraci1's avatar
      EdgardoDeGraci1
      Icon for Nimbostratus rankNimbostratus
      Apr 23, 2019

      I contacted F5 support and told me to post this issue as a question on DevCentral. The only solution I found is to change my subscription in AWS to another provider of WAF RuleGroups.

       

  • Jeff_Giroux_F5's avatar
    Jeff_Giroux_F5
    Ret. Employee
    Jan 07, 2020

    Please follow the procedure detailed in K21015971: Overview of F5 RuleGroups for AWS WAF

     

    Reporting false positives on DevCentral

     

    With full request logging you can now report on a rule that generates too many false positives. To report false positives, complete the following:

     

    • Log three to five requests that the rule has flagged as malicious requests.
    • Make sure that the requests do not contain any sensitive information; if they do, please mask the sensitive data with ****.
    • Attach the requests to a message (Ask a Question) on the DevCentral Answers forum.