Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Evasion Technique Detection in F5 ASM/AWAF

Evasion techniques are tactics used by attackers to bypass security measures by encoding or manipulating requests in ways that may evade detection. F5 ASM (Application Security Manager) has mechanisms in place to detect and mitigate such attempts by using a Normalization Process.

Normalization Process and Evasion Detection

Normalization refers to the process of decoding and standardizing requests that may have been encoded or obfuscated to evade security defenses. When a request is received by the system, it may be encoded multiple times to mask malicious content, making it harder for the system to detect attack signatures. F5 ASM performs decoding passes to ensure requests are processed in a consistent and secure manner.

Key Aspects of Evasion Detection:

  1. Multiple Decoding Passes:

    • F5 ASM performs multiple passes of decoding (up to five) to uncover hidden or obfuscated malicious content. Each pass decodes the request one level further, ensuring any evasion technique involving double or triple encoding is detected.

  2. Pass Count and Its Impact:

    • Default Setting: The default value for multiple decoding passes is set to 2. This means the system will attempt to decode the request twice to normalize it before analyzing for threats.

    • Higher Decoding Passes: Increasing the number of decoding passes (3-5) ensures deeper decoding, but it comes at the cost of system performance.

      • More passes (e.g., 4 or 5) could lead to slower processing of requests but provide more thorough inspection, detecting more complex evasion attempts.

  3. Evasion Technique Triggering:

    • Evasion Trigger: When the system fails to normalize a request correctly (due to complex or multiple encodings), it triggers an evasion technique. This indicates that the system has encountered a request that likely employs evasion techniques.

  4. Impact of Decoding Passes on Detection:

    • 2-3 Decoding Passes:

      • This is typically the minimum setting to detect evasion techniques.

      • Requests that are obfuscated using multiple encodings will trigger an evasion technique, but may not trigger an attack signature (if one exists), since the attack signature is likely hidden by the encoding.

    • 4 Decoding Passes:

      • This setting is more aggressive in decoding, which can uncover evasion tactics and also trigger an attack signature if one exists, in addition to detecting the evasion technique.

    • 5 Decoding Passes:

      • With this setting, the system performs extensive normalization.

      • It will trigger an attack signature (if one is configured) and does not trigger an evasion technique. This indicates that the system has decoded the request thoroughly enough to recognize any attack signature that matches.

Recommended Practices:

  1. Lower Pass Counts (2-3):

    • Use blocking for evasion detection when setting the decoding passes to 2-3. This ensures that potentially dangerous requests are blocked before they can cause harm.

    • These settings are ideal for handling basic evasion techniques while balancing performance and security.

  2. Higher Pass Counts (4-5):

    • If you need more robust protection, increasing the decoding passes can provide deeper analysis, especially for more sophisticated evasion attempts.

    • However, keep in mind the performance trade-off—the higher the number of decoding passes, the more intensive the processing.

  3. Balancing Performance and Security:

    • F5 recommends using fewer decoding passes (2-3) if system performance is a concern, as it strikes a balance between security and speed.

    • For highly sensitive applications or environments where evasion is a significant concern, using 4-5 passes may be warranted, especially if performance can be sacrificed for security.

  4. Configure Global Evasion Checks:

    • Evasion technique checks are applied globally to the security policy, ensuring that any attempts to bypass the policy through encoding techniques are detected consistently across the application.

Summary of Decoding Passes:

Decoding Passes

Trigger Actions

Impact

2-3 Passes

- Triggers Evasion Technique - Does not trigger attack signature

Balances performance and security for basic evasion

4 Passes

- Triggers Evasion Technique - Triggers Attack Signature (if exists)

Higher security with moderate performance impact

5 Passes

- Triggers Attack Signature (if exists) - Does not trigger evasion technique

Deepest normalization, highest security, performance-heavy

By adjusting the decoding pass settings appropriately and enabling the proper evasion technique detection, F5 ASM/AWAF helps mitigate the risks of attack evasion while maintaining the overall security and performance of web applications.

PreviousSession Tracking and Session Awareness in F5 ASM/AWAFNextImportant Tips about Security Policy in F5 ASM/AWAF

Last updated 3 months ago