Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Feb 15, 2019

ASM signature 200011026 different behaviour from 11.5.x to 12.x

Hello,

 

A POST request (multipart/form-data) with png file inside is being blocked by ASM version 11.5.4 The request is having the Content-Type header badly crafted inside the body part, and then ASM is parsing the multipart body in a very bad way.

 

I am trying to understand why in a v12 version of ASM, the exactly same request is not triggering this signature 200011026 (All signatures sets loaded in the policy).

 

The signature is part of the Generic Set, the one you have without doing anything more when creating the policy, but i still have added all sets.

 

Thanks for any advise of experience sharing

 

6 Replies

  • If you think that either a) this signature has been redefined in a way that means it is missing malicious content or b) the signature is not being processed correctly, this probably merits a support call.

     

    Signatures can change from version to version, usually in order to make the signature more accurate.

     

    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus

      Hi, Indeed the code is not the same, probably more accurate matching less content and avoiding more false positive, or being covered by another signature.

       

      I finally get a match after many tests, but on a different part on the request.

       

    • rob_carr_76748's avatar
      rob_carr_76748
      Icon for Nimbostratus rankNimbostratus

      That can happen sometimes, where a violation detected on a request will 'shadow' (my term) a violation that occurs later in the request. It's more common in older versions, i.e. in my recent experience ASM does better catching all violations in a request, not just stopping at the first significant issue.

       

    • rob_carr's avatar
      rob_carr
      Icon for Cirrostratus rankCirrostratus

      That can happen sometimes, where a violation detected on a request will 'shadow' (my term) a violation that occurs later in the request. It's more common in older versions, i.e. in my recent experience ASM does better catching all violations in a request, not just stopping at the first significant issue.

       

  • If you think that either a) this signature has been redefined in a way that means it is missing malicious content or b) the signature is not being processed correctly, this probably merits a support call.

     

    Signatures can change from version to version, usually in order to make the signature more accurate.