ASM Flagging JSON Payload Base 64 encoded data as a violation

Question

Hello&nbsp;
I have some policies that are accepting encrypted data which has then been encoded with Base64 and sent in a JSON document.  However sometimes however this data gets rejected as an attack signature has been triggered.  I would really like to leave Attack signature checking on the JSON profile but would like to find a way of filtering out just these signatures that get triggered without blocking legitimate traffic.  Currently the URL is in Staging which is allowing them through but I should really enforce this at some point and at that time these violations will get blocked.&nbsp;
Has anyone got any suggestions on how I could achieve this.  I have been looking at iRules that would unblock a request if a certain criteria is met.&nbsp;
James &nbsp;

chris_grant · Answer

What is the exact violation that is being triggered?

beefy80 · Answer

Chris, I am seeing Violations in a base64 payload.  An example of this was that we had 'sysibm' appear as a string within the base64 data.  There have been some more attack signatures being triggered but I cannot find any examples of these at this time.  I have only learnt the sysibm one but the others have deleted from the suggestion and not learnt.  I would guess that I am going to hit this issue with attack signatures that are looking for specific words like the example above.&nbsp;
Ideally I don't want to disable the filters rather unblock the request if it matches criteria.  This asm is being used for a real-time rest service so once the URL is enforced I need to minimize the chance of a false positive on attack signatures.&nbsp;

beefy80 · Answer

Hi Chris did you see my comment below?

magnus78_287184 · Answer

Did you find a solution for this? 
I got false positive in base64 encoded XML data in SOAP POSTs. &nbsp;

beefy80 · Answer

magnus78, I never found a solution for this and still currently disable filters as needed.&nbsp;

Forum Discussion

ASM Flagging JSON Payload Base 64 encoded data as a violation

6 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

DevCentral Connects hosts Capture the Flag!

Large payload post requests aren't responding

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Separating False Positives from Legitimate Violations

HTTP Payload Collection