Forum Discussion

Dave_S_183930's avatar
Dave_S_183930
Icon for Nimbostratus rankNimbostratus
Jan 23, 2015

ASM Signature Blocking, but not Enabled?

So I get a user ticket that says the user was blocked on the Application dir Access (\manage) signature. When I go to disable this attack signature on the parameter, it's not listed in the Global Security Policy Settings....So after some investigation I went to Manual Traffic Learning and found this signature listed, but not enforced yet...

 

So my question is how did this user get blocked on a signature that hadn't been enforced or enabled yet? Granted the Policy itself is in Blocking Mode....???

 

Another Question is why did this signature not appear in the Global Security Policy Settings..??

 

ASM Advanced WAF
blocking
enforced
management
security
signature

3 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jan 23, 2015

    firstly, that attack signature is a URI one in scope so you won't be able to assign it to a parameter.

     

    Secondly, what I suspect is the signature is enabled and the traffic learning is just identifying that it's been triggered and you can now make an exception if required. In this case you might only be able to disable it on the policy? Or does the learning suggestion mention how to allow this, possible a URL parameter instead?

     

    Do you see the signature in Application Security - Attack Signatures - Attack Signature List? Filter on 200000011.

     

    Hope this helps,

     

    N

     

  • Dave_S_183930's avatar
    Dave_S_183930
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2015

    Yes I was able to disable it on the policy. So I think we are good. So it was because the attack signature was a URI based one....that is why it didn't show up? Yes I did see it in the list...