Identifying ASM signatures affecting responses?

Question

Env:  LTM 11.5.2 with ASM&nbsp;
We have a security profile which appears to be affecting responses for a small set of requests, without reporting any error or block in the ASM event log. This is a REST call that accespts JSON input data, retreieves data from a database, and returns the data results as JSON.&nbsp;
When we run the query for a userid that returns a small result, there is no issue. But when we use a different userid that has more data, the client never receives the response (not a single byte gets returned, at the network level). Nevertheless, the response appears in the ASM event log (though at the top of the response content display it says "Response was truncated"), and I see content displayed, as if it had been sent back. The size of the response that has an issue isn't huge (about 15K).&nbsp;
We have only one entry in our Parameter List for this policy, "*" of type User-input value. We turned off both Value and Name meta-characters checks, just in case, with no effect. However, when we turn off signature checks for the parameter, the problem goes away.&nbsp;
So, our assumption is that some signature is processing the response, and freezing, or some other way affecting the stream going back to the client, such that bytes never get sent. But it's happening with no indication in the ASM event log.&nbsp;
How can we identify what signature is the culprit?  Is there a way to search just the signatures that parse responses, vs. request data? (the Advanced filter lumps Request/Response together).  Is there any advanced ASM signature processing logging that we can turn on, anything like that?&nbsp;
And any other thoughts on what the cause might be would be appreciated. I don't think it's size related, as the max_html setting in advanced. I thought maybe chunking, but Transfer-Encoding: chunked is appearing in both working and non-working responses.  Hmm ....&nbsp;

daboochmeister · Answer

Update.  I actually went through the signatures list for the policy, and attack type by attack type, disabled them all.  That didn't fix the problem. Then, I updated the "*" parameter by unchecking "Check attack signatures on this parameter", and it's still broken.&nbsp;
There's no denial of service policy in effect, btw. But when I remove the security policy from the virtual server, the issue goes away.&nbsp;
Kind of at my wit's end (admittedly, didn't take long to get there). No idea what it could be.  Any thoughts, even wild guesses, appreciated. I'm kind of out of theories.&nbsp;

samstep · Answer

Response Signatures do not modify the response. They DETECT an attack and raise the violation. You need to look at ASM features affecting the response as per my response here:&nbsp;
https://devcentral.f5.com/questions/any-experience-with-asm-policy-affecting-response-stream-with-no-vulnerability-attack-signature-noted-61426?&nbsp;
it is also worth raising a support case with F5&nbsp;

Forum Discussion

Identifying ASM signatures affecting responses?

2 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Related Content

Unique Identifier for irules Http response

Introduction of Incident Response

Can't identify cookie

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

custom response page for api