ASM detecting but not blocking the attack

Question

Hello all,&nbsp;
I am using ASM and  a Apache Tomcat based web application behind it. I am testing negative security accuracy of the ASM and realized that it is not blocking the attacks even it detects that the request is violating the attack signature.&nbsp;
The security policy is configured in blocking and manual mode. The signature staging is disabled with all available signatures included to the policy.&nbsp;
The issue is once the attack (for example SQL injection) is launched ASM is detecting that the request matches the attack signature and showing it on the Manual Traffic Learning -&gt; Attack signatures detected page. When you go one step further and check the details of the incidents listed under this page you see that ASM is considering the request as legal! &nbsp;
No logs are available under Event Logs tab.&nbsp;
It will be highly appreciated if anyone explains this behaviour. Is it expected or sth like a bug?&nbsp;

matt_dierick · Answer

Hi,&nbsp;
You need to check all entities referring this attack. If you try an SQL injection on a parameter, you need to check "this" parameter or the wildcard. Staging (tightening as well on &lt; 11.3) mode must be disabled.&nbsp;
If ASM sees the attack, that means signature works. Check where attacks occurs (parameter ...) and you will block it. I used to seeing this behavior when global staging is not finished --&gt; mainly on parameters.&nbsp;
Let us know.
Matt&nbsp;

erol_dogan_1164 · Answer

Hello Math,&nbsp;
I noticed that it is the case exactly what you advise. Thank you :)&nbsp;
When I checked the parameter (actually it is wildcard) referring the attack, it was by default in staging mode. When I disabled the staging, system started to block the violations.&nbsp;
Regards&nbsp;
Erol&nbsp;

matt_dierick · Answer

Good to know :-)

matfa_119223 · Answer

Hey Guys, I'm currently dealing with the same behaviour. I'm running 11.4 and staging is disabled. I am trying to lock down an ASM policy so that only certain URLs are made public. I do see the URLs being registered as illegal in event logging, but we are still able to access them through the device. This is happening in my manual, and automatic policies. In the uatomatic policy, I see that access to these URLs ends up in the "violations on URLs" category. Since illegal URL isn't really a signature, I should be able to simply block this by adding it to the disallowed URL category, right?

ahmad_faiz_1405 · Answer

Hi Erol,

Same environment happened to me which all testing made for SQL Injection will go learned under Manual Traffic Learning -&gt; Attack signatures detected page and not appeared in Event Logs. Tried to disable a staging mode on wildcard parameter but still no luck.

Beside that, I also include and enable all SQL Injection signature to Security  ››  Application Security : Parameters : Parameters List  ››  Parameter Properties ›› Attack Signatures.

Any way you can advice is there any additional setting need to be made to start blocking the violations and appear in event logs. Looking forward to hear from you on how you solve this issues :)

Rgds,
Faiz

Forum Discussion

ASM detecting but not blocking the attack

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Increasing accuracy using Bad Actor and Attacked Destination detection

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

The HTTP/2 CONTINUATION frame attack

ESRP Strategies: DNS Water Torture Attack

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security