ASM flagging legitimate traffic as "most likely a threat"
I'm fairly new to managing ASM and I'm learning on the fly. In this case, the protected application is a Jira instance. Most traffic that ASM has blocked for this application so far has been a single signature (For example, "Illedgal method" or "attack signature detected"). These blocks have a violation rating of 1 or 3. Today, a user tried to upload an attachment into Jira and ASM blocked it with a violation rating of 5. There is no button for me to "accept request" on this block. The number of signatures found for these blocks seems to vary depending on the type of file being uploaded (xlsx, docx, pdf) and varies between 85 and 242 signatures flagged.
I'm not sure what to do with this. How would you go about working through this? I hate to leave my question so open ended, but I just am not sure what to do with it.
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.
This instructs ASM to not inspect the BODY of the request:
- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy
- click 'Create' (for New Allowed URL)
- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging
- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list
- click 'Create'.
- Apply Policy