mm_pen_242283
Nov 09, 2016Nimbostratus
Viewing F5 provided ASM attack signature
Hi experts.
I noticed signatures that are matching certain strings (e.g. "more", "at", "id", "tar") in HTTP transactions may be quite dangerous in terms of false positives. There are many occurrences in our environment where legitimate user traffic carries such "words" in parameter values or URL paths.
Does F5 ASM allow one to validate (read, analyze) the F5 provided signatures syntax (regex ...) in order to understand, how they are being triggered? Please note that I am only asking about F5 default signature sets, not user-defined ones (those I know one is allowed to edit and export).
Regards, mm