Forum Discussion

Javier_124486's avatar
Javier_124486
Icon for Nimbostratus rankNimbostratus
Dec 16, 2015
Solved

ASM policy building: How to reduce the amount of entities learned?

Hi, i have been working with a new policy for a couple of days. Mostly it was created using RTPB and policy type set to custom. My idea was to create a positive security that includes every single URL, parameter (and their length), meta character allowed within those parameter in URL and file types. I might have been a little ambitious this time because after two days of learning, with "add all entities" enabled and all traffic trusted (Was limited to Vlan where Developers tested the app features) i have more than 2000 parameters (even with some wildcard to limit it) and around 300 Url (again, some of them are wildcard ). Today i changed the approach and re-enabled the learning mode with "Collapse to one entity" after 2 occurrences happens. As i expected it's creating wildcard-entities and working amazingly fine (and not removing the specific ones - also expected). But this leads me to 3 questions (I am going to abuse a little bit and use the same post for 3 different queries :).

 

First if the parameters match the exact parameter and the wildcard, i am going to assume that the wildcard feature (meta-character allowed, attack signatures, etc..) will be executed and the exact parameter definition will never be used. (or this like VS precedence and the specific ones are chosen first?)

 

Second, Having two different ways to define an entity impacts the performance/resource or not? (it's a table with records at the core of ASM) EG: "testing_parameter" and "testing_*"

 

Third, I used to work with network firewalls and one of the most interesting feature was to identify the occurrences or matching rate for any rules. So if you want to delete/improve your security policy to improve performance by reducing the amount of rules you have, you can start working with that (like ). Is there any way to review, after a couple of weeks (when we have enough traffic to decide), which entities were not used because traffic hits wildcard ones?

 

Thanks a lot in advanced and apologize for any tipo!!

 

  • As far as i know...

     

    First> no, if you have exact entity and also wildcard that match that entity, explicit one will be used, not wildcard.

     

    Second> If i am right with first answer then no, it will not impact performance since wildcard entity is not used, unless you have thousands of wildcard entities since ASM use memory to store all it can..

     

    You can easily check this, create test parameter and test wildcard parameter matching it. Use different settings, let's say turn off Attack Signature check on explicit parameter and turn it on on wildcard. Try to generate attack, for example add

     

2 Replies

  • As far as i know...

     

    First> no, if you have exact entity and also wildcard that match that entity, explicit one will be used, not wildcard.

     

    Second> If i am right with first answer then no, it will not impact performance since wildcard entity is not used, unless you have thousands of wildcard entities since ASM use memory to store all it can..

     

    You can easily check this, create test parameter and test wildcard parameter matching it. Use different settings, let's say turn off Attack Signature check on explicit parameter and turn it on on wildcard. Try to generate attack, for example add

     

    • Javier_124486's avatar
      Javier_124486
      Icon for Nimbostratus rankNimbostratus
      Thanks Mr. Katic, fair enough. It has complete sense to match the specific one rather than the wildcard (i was thinking in network layer firewalls). Before you replied I tested with some sql instruction and you are right, specific ones were chosen. About the "cleaning" process of the policy i might have to accept that it has to be done manually using the parameters section...well, once i assume it i will start with it. Thanks and have a good day!