12/27/2012 by Riddlerman
Trying to determine the best approach forward with APB.
Using the Automatic policy building to learn the site.
1) How can I undo (un-learn) a recommendation after having chosen to "learn" the violation ?
--From what I understand the "learn" option basically tells ASM to accept the content ?
2) The web site has over 900 URL's. 200 Parameters and 19 filetypes. If i turn off (disable) the APB feature what will happen to the user experience when a new URL is accessed or a new parameter/file-type is attempted ?
-- I'm guessing the user is going to receive the STD F5 error reponse page? (STD becuase I haven't modified it)
Version: BIG-IP 10.2.0 Build 1789.0 Hotfix HF2
OK, I got it to work by re-creating the parameters I deleted from parameter names in the list mentioned earlier.
BUT if that was the wrong approach then what is the correct approach to undo the "learning" ?
I've also rolled back the policy to a working state before I started the testing.
I've now "learnt" the attack on the paramaters again which has now disabled the SQL-INJ Signature on the two paramaters but how do I undo it now to ensure the signature will block the attack on the two parameters currently overridden?