Automatic Policy Building (APB)


Hi All


Trying to determine the best approach forward with APB.

Using the Automatic policy building to learn the site.

Two questions:

1) How can I undo (un-learn) a recommendation after having chosen to "learn" the violation ?

--From what I understand the "learn" option basically tells ASM to accept the content ?


2) The web site has over 900 URL's. 200 Parameters and 19 filetypes. If i turn off (disable) the APB feature what will happen to the user experience when a new URL is accessed or a new parameter/file-type is attempted ?

-- I'm guessing the user is going to receive the STD F5 error reponse page?  (STD becuase  I haven't modified it) 


Version:  BIG-IP 10.2.0 Build 1789.0 Hotfix HF2

4 Answer(s):

Hi Riddlerman.
To undo a policy change you will need to manually edit the policy, undo manually what the policy builder has changed.
If you disable the policy builder then the policy will not continue to be enhanced. It doesn't mean that you will be blocked when a new URL or parameter has been added to the website, it really depend on what you have within your policy now, the blocking/staging settings and if the new URL or parameter will generate a violation or not, it is really hard to tell without looking at your policy.

Do you also use manual policy building (Learning)?
Hi Ido
I tried the below in the login box
$username = 1' or '1' = '1
$password = 1' or '1' = '1

The violation was detected , I chose to learn the SQL-injection then tested again on the website and was not blocked.
I then went to Attack Signatures > Policy Signatures > Overrides on Parameters : Signatures with Overrides : I see the signature "SQL-INJ expressions like "or 1=1" (3)" ID= 200002147

I selected the yellow light bulb next to signature name then deleted the parameter names in the list.
Attempted the same injection with the login box and was not blocked.
I confirmed the signature is set to : Learn (Yes), Alarm (Yes) and Block (Yes) under Attack Signatures > Policy Signatures.

What am I missing?

For point # 2:
My policy is set as follows:
Enforcement mode = Block
Staging-Tightening Period = 7 Days (This is where the new URL's, parameters etc will be learnt ?)
Enable Signature Staging = Not selected

Is manual policy building not an "always on" feature that will report back ?
I do use it.
I even tried to change the Policy Attack Signature Set from "Learn, Alarm and Block" to "Alarm and Block" only and it still didn't block the attack.

OK, I got it to work by re-creating the parameters I deleted from parameter names in the list mentioned earlier.
BUT if that was the wrong approach then what is the correct approach to undo the "learning" ?

I've also rolled back the policy to a working state before I started the testing.

I've now "learnt" the attack on the paramaters again which has now disabled the SQL-INJ Signature on the two paramaters but how do I undo it now to ensure the signature will block the attack on the two parameters currently overridden?

Your answer: