NimbostratusHi, we have every URL like , , etc.. with value range being a different value for every violation.How can we make sure that they don't show up in violation? We have an illegal method and attack signature violations hitting.
NimbostratusIllegal Method violation is independent of request paths. It's a policy-wide setting. Look into request logs and take note of request body. To give an arbitrary example, request in logs could be something like
PUT www.buy.com/value1An Attack signature violation needs to be investigated in logs. There's zero possibility that any attack detection signature matched because you requested . Therefore the links you provided are irrelevant here. Again, you need to look into request logs and observe the signatures that were matched. Possibly the request to had a header or cookie which contained malicious data, for example, an attempt to execute Shellshock attack. Deciding on attack detection signatures is more difficult. If you trust the source, it's best to disable the attack detection signature. If not, you need to wait further and see how frequently these violations trigger, from how many different IPs and from which geographic locations those violating requests arrive, and so on. There's no rule that gives you correct answer on 100% occasions. You make a best-effort call based on the data you have/collect.