When I am looking at the Traffic Learning in v12 ASM there are many examples where there are no sample requests so I can't even see the context for the traffic suggestion. (Image below) Is there a way to see the sample traffic? This has happened for more than just illegal meta characters. Any help would be greatly appreciated. Thanks!
Perhaps you have set the violation to "ignore".
For example if you choose "Ignore Suggestion" for a TrafficLearning entry "Illegal method / HTTP-HEAD" all other illegal method violations will be igonored too even if it was caused by another illegal HTTP-methd!
Make sure that the signatures are really enforced, especially after a signature update. New signatures should be in staging.If the signatures apply to parameters, double-check that parameter values are correct and also enforced. If you are having trouble with malicious traffic you should open a support case.
do you have a logging profile attached to the virtual server? one that logs illegal attempts locally will help a lot.
As boneyard indicates, a logging profile which logs either all requests or illegal requests locally should help you locate requests in Event Logs: Application Requests. If you see items in the request log, but not on the Traffic Learning screen, then you have a different problem. Go to Learning and Blocking settings, and verify if the violations you would like to track have the checkbox for "Learn" selected. If the Learn checkbox is not selected, then you will not see any learning suggestions on the Traffic Learning screen for those violations.
I am using v12.1.2, i created a policy with policy building learning mode auto and F5 didn´t generate any recommendation, and i configured the Language application to UTF-8 and the policy building started to show suggestions.
First determine if your logging profile is logging all requests, or illegal requests. For testing, start out by logging all requests. If you are passing traffic, go to Learning and Blocking settings, and then ensure that the "Learn" checkbox is selected for all violations for which you would like to see a learning suggestion. What are the Learn, Block, and Alarm settings for Illegal Metacharacter?
Well, also i am testing some attack signature with cross-site scripting and ASM detect the attack but doesn´t block, i have all signatures out staging, urls and parameter out staging, policy is in blocking mode with attack signature with Block enabled, and still ASM don´t block the attack. Also i updated all signatures.
What would be the reason when logging profile is attached and "Learn" checkbox is selected for all violations and still do not get events in traffic learning, "No samples found in requests list"?
The logging profile determines if all requests or illegal requests only will appear in Security: Event Logs: Application: Requests. It does not control whether or not learning suggestions will appear on the Traffic Learning screen. If you are not seeing any learning suggestions, it may be because there aren't any violations. Troubleshoot by first verifying that you have selected the correct application language encoding for your security policy, then verify that traffic is actually passing from the client to the virtual server, then verify that you have assigned the correct security policy to the correct virtual server. Also, is it possible that the policy has already generated suggestions and they have either been accepted or ignored? If you send a request, do you see anything in /var/log/asm? The rule of thumb is that ASM is doing exactly what you told it to do...
The part of them do not appear , there are logs in traffic learning but not all, I could not say that I do not get any request.
for example :0 sample requests out of 74 that triggered the suggestion from 2017-07-03 17:29:41 until 2017-08-31 15:12:29 , and "No samples found in requests list" is shown in the traffic learning windows. The only reason I am thinking of is local storage is not capable to keep all those logs and it clears when it reaches 2 GB.