Topic
In BIG-IP ASM 10.0.0 and later, 9.4.7, 9.4.6 HF1, and 9.4.5 HF2, the BIG-IP ASM bd process limits the recursion depth when matching request data against regular expressions. This behavior limits the amount of resources that can be dedicated to any one evaluation operation. Certain combinations of attack signatures and request payloads may result in a long recursive evaluation that reaches the maximum depth before determining if the attack signature matches. In such cases, the request is marked as a match for the signature because the BIG-IP ASM system has not yet determined that the request is not a match. While this design may result in false positive violations, it ensures that unverified requests are not passed through the attack signature engine.
Description
Determining whether the recursion depth limit triggered a false positive violation
You may verify that a violation is the result of the maximum recursion depth reached rather than an explicit match. To do so, refer to one of the following sections that apply to your version:
BIG-IP ASM 10.1.0 and later
Starting in BIG-IP ASM 10.1.0, when the recursion limit is reached for a request, the BIG-IP ASM bd process stops attempting to match the attack signature, and the BIG-IP ASM system reports an attack signature violation with a message in the context details description that appears similar to the following example:
The signature is not matched. The matching process exceeded the maximum number of allowed recursions.
You can view the context details in the BIG-IP ASM Configuration utility. To do so, perform the following procedure:
- Go to the BIG-IP ASM reporting tool.
- Locate the request in question and select the URL hyperlink under Requested URL.
- Select the Attack Signature Detected link in the Violations list.
- Select the View Details link.
BIG-IP ASM 9.4.5 HF2, 9.4.6 HF1, and 9.4.7 through 10.0.1
In BIG-IP ASM 9.4.5 HF2, 9.4.6 HF1, and 9.4.7 through 10.0.1, when the recursion limit is reached for a request, the BIG-IP ASM bd process stops attempting to match the attack signature, and the BIG-IP ASM system reports an attack signature violation that is indistinguishable from a true positive match.
If the violation is the result of a user-defined attack signature, you can check the request contents against the regular expression in the attack signature without limiting recursion. To do so, use any standard regular expression validator that does not enforce a limited recursion depth, such as the RegExp Validator utility in the BIG-IP ASM Configuration utility. If the validation utility indicates that there is no match, the violation is most likely a false positive triggered by the recursion depth limit having been exceeded.
If the violation is the result of a system-supplied attack signature, you will not be able to verify the request contents against the regular expressions for the attack signature in question; the rule logic for system-supplied attack signatures is not disclosed.
Note: For more information about attack signature logic, refer to K8771 – Attack signature logic is not viewable on the BIG-IP ASM system.
In order to test a system-supplied attack signature as a false positive due to recursion depth, F5 recommends that you upgrade to BIG-IP ASM 10.1.0 or later and perform the procedure listed in this solution. For information about upgrading, refer to the BIG-IP ASM release notes.
Note: If you require assistance verifying a false positive on a version prior to 10.2.0, you may also contact F5 Technical Support. For information about creating a new support case, refer to K2633: Instructions for submitting a support case to F5.
F5 Product Development tracked an enhancement request to make the recursion depth a user configurable option as ID 293513 (formerly CR129104). This feature is available in BIG-IP ASM 10.2.1 and later. For more information, refer to K12884: Configuring BIG-IP ASM maximum recursion depth for PCRE attack signatures.