Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 24, 2014
Solved

ASM Learning Fine Tuning (illegal meta characters in value)

Hello Experts

 

My ASM policy is in transparent mode and configured as manually that is through wildcards for URL, Parameters and file types.

 

I am getting violations "illegal meta characters in value". Attached is snapshot.

 

1- How to fine tune this? 2- If I accept learning suggestions, these illegal meta characters would be accepted for wildcard parameters or particular learned parameters? Because in violations, it is not mentioning "which parameter" got "illegal meta character in value" 3- What does it means "Disallowed" and "Allowed"? 4- Also if I go to meta character settings under any particular learned parameter or wildcard parameter, there is something Global policy settings for meta character, From where this settings came?

 

Regards,

 

GR

 

ASM Advanced WAF
deployment
security
  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Jun 24, 2014

    Hi,

     

    1. You must decide wich meta characters is allowed for the parameters.
    2. If you accept suggestion for wildcard parameters illegal meta characters would be accepted for all parameters but not for particular learned parameters.
    3. Allowed: Specifies that the character or meta character can occur in parameter values. Disallowed: Specifies that the character or meta character can not occur in parameter values.
    4. This settings came from /Security/Application Security/Parameters/Characters Sets

12 Replies

Sort By
  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Jun 24, 2014

    Hi,

     

    1. You must decide wich meta characters is allowed for the parameters.
    2. If you accept suggestion for wildcard parameters illegal meta characters would be accepted for all parameters but not for particular learned parameters.
    3. Allowed: Specifies that the character or meta character can occur in parameter values. Disallowed: Specifies that the character or meta character can not occur in parameter values.
    4. This settings came from /Security/Application Security/Parameters/Characters Sets
  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2014

    Hi vitaliy

     

    Thanks for reply.

     

    For point 2, It means ASM will not give you insight which parameter got this violation (illegal meta character in value). If I want to accept this violation only for a particular parameter, how I can do that? Attached is snapshot

     

    Appreciated your reply

     

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Jun 24, 2014

    Do you have any records about violation?

     

    Security ›› Application Security : Policy Building : Violations on Entities : Violations on Parameters

     

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Jun 24, 2014

    you can accept learning suggestion, if you don't see parameter name. I had the same issue and didn't find the way how to get parameter name wich had violation from logs.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 24, 2014
      Thanks Vitaliy. So it means if I accept this then it will be accepted under wildcard parameter? In case if it is showing the parameter name then what I need to do? Appreciated your reply
    • Vitaliy_Savrans's avatar
      Vitaliy_Savrans
      Icon for Nacreous rankNacreous
      Jun 25, 2014
      Yes, it will be accepted under wildcard parameter. If it's showing the parameter name you can accept learning suggestion and it will work only for that parameter.
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jul 16, 2014
      Hi Vitaliy Thanks for your assistance. The last question is in the attached snapshot, what is the action? 1- Allow on entities 2- Allow in parameter value/JSON content/XML content character sets
  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Jul 17, 2014

    Hi,

     

    "Allow in parameter value and XML/JSON content character sets" mean if you select this and accept, the system allows this meta character in the security policy’s parameter value character set, XML content character set, JSON content character set.

     

    If you choose "Allow on entities" system allows this meta character only for parameter value that you select.

     

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2015

    If we want to allow some character then we must unblock the "illegal meta character in value" from Blocking --> Setting --> Input violation.

     

    Please suggest.

     

  • SIEM_281457's avatar
    SIEM_281457
    Icon for Nimbostratus rankNimbostratus
    Jul 26, 2016

    I am also getting the same logs in SIEM solution..."Illegal meta character in value" However the device custom string is "filenetservice" and in some case its Exchange asm policy. please suggest me how to finetune this alert.