ASM - Understanding why "Attack Signature Detected" did not block the access

Question

Env:  LTM 11.5.2; Context:  Web application&nbsp;
We have an ASM security policy configured and applied to a VIP; the policy is in blocking mode, not transparent; all signatures have "Enforced" = "Yes".  Policy Building is off for the policy.&nbsp;
Under those circumstances, if the WAF detects an attack signature, why would it not block the request?  See attached picture - in our Event Log, we have many many accesses that were allowed, but for which it noted an attack signature detected, and offers to learn it.  I thought by explicitly enabling the signatures, and not being in policy building mode, it would be enforced -- no?&nbsp;
What steps can we take to ensure that all signatures are enforced in a way that blocks accesses?&nbsp;
&nbsp;
Thank you.&nbsp;

daboochmeister · Answer

Does it ignore the "Block" setting if "Learn" is also yes?  That seems counter-intuitive - if I say i want it blocked, i want it blocked, no ifs/ands/buts.  ??&nbsp;

rob_carr · Answer

Setting the learn flag does not disable the block flag.&nbsp;

daboochmeister · Answer

Hmm ... I may have figured it out. Our screen at "Security  ››  Application Security : Attack Signatures : Attack Signatures Configuration" appears as follows:&nbsp;
&nbsp;
Does that mean that all the signatures not in those two assigned signature sets will not be enforced?  And to enforce them immediately (e.g. for the SQL injection set), i move the set to the list and make sure "Block" is checked?  I don't want to turn off signature staging (because it would affect new signatures from updates, i would think - for which I DO want a staging interval) - once i've tested, how do I immediately move the newly added signatures from staging to "active"?&nbsp;
thx&nbsp;

abdessamad1 · Answer

Could you check the following ?&nbsp;
Go to Application Security : Attack Signatures : Attack Signatures List
Make sure that the "Block" and "Enabled" flags of the signatures are set to "Yes".&nbsp;
Go to Application Security : Policy Building : Enforcement Readiness
Make sure all signatures are enforced.&nbsp;

Forum Discussion

ASM - Understanding why "Attack Signature Detected" did not block the access

4 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Real Attack Stories: The "MOP Sink" Attack

Understanding iApps

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Understanding Modern Application Architecture - Part 1