I'm sorry to be so dense, Eric Novak, but maybe explaining it in our situation would help. We have the wildcard entity (*) defined for URLs and file types in our base policy for all apps. At some point in the future, we may tighten policy with more specific wildcards or explicit entities, but for now we want them learned for future use. For wildcard URLs, we likely would never go beyond 2nd level directories, probably not past the first level. Right now, we have Learn All Entities set and we have hundreds of learning suggestions with hundreds to thousands of occurrences of some entities. In the URL learning, for example, how would changing it to Selective or Never Learn change the amount of information presented in Traffic Learning?
As a side note, the reason we're looking at this is because attack signature learning is rolling off too quickly leaving us with all zeroes in the Recent Incident and Incident columns even if an attack sig violation occurred the previous day. We theorize that the learning suggestions for the wildcards is causing this info to roll-off even though they are still in local logs (we only log request violations).
cdjac0bsen - with Never entities are never learned so all URLs and File Types will match the wildcard and no learning entries will be identified.
With Selective - this is the half way house between Add all entities and Never. Basically, if a violation occurs on a file type and if you deem it to be a false positive, for example, ASM will learn the particular entity and recommend adding this to the policy and making the relevant policy change to allow the false positive. This could be allowing or disallowing a metacharacter, for example. This saves you loosening the policy on the wildcard. So you get less learning entries for selective.
Hope this helps,
When you say "if you deem it to be a false positive", I don't understand that distinction. The ASM doesn't know what I consider to be a false positive when it adds that entity to the Traffic Learning list. Either it adds an entity to that list or it doesn't, right? In the case of URLs it could change the degree of explicitness I suppose. I need a good illustration of how violations will be treated in Traffic Learning between Learn All and Selective.
sorry, you're right ASM won't know. What i mean is, if it is a false positive and you want to add the learning suggestion, rather than enable it on the wildcard, with Selective it will suggest you enable it on the entity itself instead.
Won't Add All suggest you enable it on the entity itself as well? I'm really trying to get at how Add All is different from Selective, especially when it comes to URLs.