Forum Discussion
8 Replies
- ragunath154Cirrostratus
you can add the language header in the header allow list and disable the signature triggering the vi - command violation only to this header name.
- TsukiAzumaAltostratus
Thank you for your advice
But in request contain many "vi" character. It look like:
POST /login HTTP/1.1\r\nConnection: upgrade\r\nHost: xxx\r\nX-Real-IP: xxx\r\nX-Forwarded-For: xxx, xxx\r\nX-Nginx-Proxy: true\r\nContent-Length: 675\r\ncache-control: max-age=0\r\nupgrade-insecure-requests: 1\r\norigin: xxx\r\ncontent-type: application/x-www-form-urlencoded\r\nuser-agent: Mozilla/5.0 (Linux; U; Android 12; vi-vn; CPH2043 Build/SP1A.210812.016) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.88 Mobile Safari/537.36 HeyTapBrowser/45.9.0.1\r\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nsec-fetch-site: same-origin\r\nsec-fetch-mode: navigate\r\nsec-fetch-user: ?1\r\nsec-fetch-dest: document\r\nreferer: xxx?type=cn\r\naccept-encoding: gzip, deflate, br\r\naccept-language: vi-VN,vi;q=0.9,en-US;q=0.8,en;q=0.7\r\ncookie: xxx
Hi TsukiAzuma ,
would you please share the violation that F5 WAF produce it against this request.- TsukiAzumaAltostratus
It mean that ?
violations="Illegal meta character in value,Attack signature detected",support_id="6258108010622842152",request_status="blocked",response_code="0",ip_client="xxx",route_domain="0",method="POST",protocol="HTTPS",query_string="",x_forwarded_for_header_value="xxx, xxx",sig_ids="200003086",sig_names="%22vi%22 execution attempt",date_time="2022-12-07 15:32:38",severity="Error",attack_type="Abuse of Functionality,Command Execution",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="d080b92a930b4a2",src_port="xxx",dest_port="xxx",dest_ip="xxx",sub_violations="",virus_name="N/A",violation_rating="2",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",blocking_exception_reason="N/A",captcha_result="not_received",uri="/login"Hi TsukiAzuma ,
Try to define the impacted url and its parameters as an explicit entity in allowed urls , after that allow the attack signature that blocks your requests to this url and the same thing with meta characters under this url parameter , allow the meta character that blocks you when this request come to F5.
I will send some snapshot from my lab will help :
1- Create explicit url " /login " with POST method :> get the attack signature ID and search in " Global security policy setting bar " by this ID and drag it from Right table to Left , by this way you allowed this attack signature under this url only.
2- After that create your parameters that come with this url , in " POST " data and allow the meta character , you can do this by selecting Url Parameters TAB in the last snap shot and proceed :> After doing that , your Request shoudn’t be blocked.
> Note , I do not know what are your parameters under this requested url , you should know them and able to add this impacted parameter such as last snap shot.> Read this Article Carefully , it will show you more :
https://support.f5.com/csp/article/K64208044
I hope this helps you.
Regards