Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Jan 18, 2016

Multiple violaions for File-upload behind ASM

Hello Folks,

I am experiencing quite weird behavior with F5 ASM on 11.6.0 HF6 with one of the customers. The issue is, ASM is detecting file uploading as a malicious traffic and triggering multiple different signatures.

Though I have created a file uploading parameter, which found from the HTTP REQUEST HEADER within "multipart/form-data". However it seems ineffective. Following is the complete HTTP REQUEST.

POST /epublicsector_ara/start.swe?SRN=KLyBkgFt7u1DMFqJX4yyLqXNbSyceuTBcqcSB4KzKcgb HTTP/1.1
 SWESession: TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b250cc5c5419ac4c3d1645b0be3eeda26635f3e94a2e94ba76915da8199f08ec69d177fcca8a8938559fa14b5b3940f9c495
 Content-Type: multipart/form-data; boundary=------------------------------1453093530
 Content-Length: 88852
 Connection: Keep-Alive
 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3)
 Host: 1gov.abudhabi.ae
 Cache-Control: no-cache
 Cookie: _sn=OQ0ZDiRGueyA88dyhdKGs6B4gHCYXPRHfrMe6zxEYnLS.JwbT1OMP8iVOAg1ZaB7IYpcyX4IlQQxNAOTGpU7yqT0StvTXa6ssmT1YcV3ZU9wrDSMvchu6DPcDAzDPFDGLkZhsJmNzJh.Rp23kIB.N84iEdgjsExDoNe5GryIJzDcJypyYJaZuAQnhFZAXqs4alaabrpoH4Y_; TS01d3802b=011bd6b25032ca6b64b728506e93375f4851f91fa2362a319f7ff7390920ffb3781595bbf4ff1db9dd55f89a7367c3113fb808b1d410723dd3805ffe617641dcd661da8c82; SWEUAID=none; SGCRM-COOKIE=3935173898.20480.0000; TS0160d34b=011bd6b2504813b2ac7dbc505636fef65aa62b48dadbd2f087624e744621fcb2297ee21aaf7d873a84e117fc409408d273ef1a6af2
 X-Forwarded-For: 10.113.0.25

 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEView"

 HLS Case Note View
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEApplet"

 HLS Case Attachment Applet
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWERowIds"

 SWERowId0=1-KUA4ND
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWECmd"

 InvokeMethod
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWEMethod"

 NewFileAttachment
 ------------------------------1453093530
 Content-Disposition: form-data; name="SWERPC"

 1
 ------------------------------1453093530
 Content-Disposition: form-data; name="s_SweFileName"; filename="C:%5cUsers%5cm.rashed%5cDesktop%5cNew%20folder%20(7)%5c%d8%a8%d9%82%d8%a7%d9%84%d8%a9.pdf"
 Content-Type: application/octet-stream

 %PDF-1.4
 1 0 obj
 <<
 /Creator (Oracle11gR1 AS Reports Services)
 /CreationDate (D:20151004082642)
 /ModDate (D:20151004082642)
 /Producer (Oracle PDF driver)
 /Title ()
 /Author (Oracle Reports)
 >>
 endobj
 5 0 obj
 <>
 ...
 .......

The File Uploading Parameter I have created is

"s_SweFileName"
, also followed the below article which I thought will be useful in this scenario, but that didn't help.

https://devcentral.f5.com/articles/file-uploads-and-asm

Can anyone help me fine-tuning / understanding what needs to be done to avoid this false positive? It is tedious job to keep on ignoring all the signatures and also relaxing security to that level is not acceptable, right?

Looking for your help.

Thank you, Darshan

4 Replies

    • draco's avatar
      draco
      Icon for Nimbostratus rankNimbostratus

      Hi

       

      did you get this to work ?

       

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      i would advise you to start a new question with your specific details, i have doubts you are running the same version and exact same website. so share your details, provide the violation information exact as shown and perhaps some can help here.

       

  • We are experiencing the same problem. Can somebody please have a look at this?

     

    Thanks !