Forum Discussion
That SOL8866: Disabling attack signature checks for specific objects has info that I can't figure out:
You can disable attack signature checks for specific objects. This functionality allows you to prevent an attack signature from triggering for a valid URI request, header, parameters or other attributes within the request while leaving the attack signatures in place for the entire policy.
The BIG-IP ASM security policy does not trigger an attack signature if a matching signature is found for an explicitly defined object. To configure an object as an explicit object, to prevent false attack signature triggers, perform the procedure appropriate for your ASM version:
Note: This only applies for signatures that use the objonly attribute. If the signature is written using the uricontent attribute, a specific URL does not cause the attack signature to trigger.
Note: An attack signature is triggered when a signature matches the explicitly defined object and additional parts of the object, if not defined within the explicit object. This behavior is by design; it ensures that the administrator is notified, and information that attempts to pass is flagged if it has not been explicitly defined by the administrator.
I am puzzled especially by two Note entries.
Article is to disable signatures on some entities. That is achieved by defining for example explicit URL, then what they mean in first note?
What second note means? That if part of explicit entity is not specified then signature is triggering violation?
Piotr
- gsharriMay 31, 2015AltostratusPiotr, I am not exactly sure what is meant by the notes. The references to "objonly" and "uricontent" refer to keywords in the attack signature syntax that controls where the signature applies. An explicitly defined object can be configured to allow content that an attack signature would normally block. In this case I would recommend that you do what I do and that is open a case with F5 support and ask them to clarify/explain what their documentation means. Scott
- dragonflymrMay 31, 2015CirrostratusThanks, it's kind of assuring that not only I have problem with understanding what is in SOL :-) Piotr