Learning option for attack signatures

Question

Hi;&nbsp;
Under Application Security&gt; Blocking &gt; settings, why is there a learning flag option for Attack Signatures. I mean what is there to be learnt since attack signatures are knows through the Attack Signature file downloaded from F5.&nbsp;
Kindly
Wasfi&nbsp;

nathe · Answer

Wasfi, by enabling the Learn flag it means any violations of an attack signature will generate a log in Manual Traffic Learning. That way you can more easily identify any false positives and make the necessary policy changes. &nbsp;
Without Learning then you only have the violation logs in Requests and you have to unpick the reason for the violation manually.&nbsp;
Hope this helps,&nbsp;
N&nbsp;

nolipineda · Answer

Gives us the option to learn and have the ability to stage application behaviour against known signatures?

refra_151287 · Answer

If you got blocked at the blocking mode regarding specific attack signature, this option will put this attack signature at the manual traffic learning page, and see if it's a false positive attack you can learn it, so ASM will not block it again.

wasfi_182818 · Answer

Thank you Refra. Although you don't event need to be in blocking mode for the signature to show under manual traffic learning. You could be in transparent mode and it will show under manual traffic learning. You need to be outside the enforcement readiness period.

Forum Discussion

Learning option for attack signatures

4 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Community Learning Path: Multi-Cloud Networking

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

Kubernetes architecture options with F5 Distributed Cloud Services

F5 BIG-IP deployment with OpenShift - platform and networking options

Cisco ACI Endpoint Learning with a BIG-IP HA Failover