Forum Discussion

JM_176957's avatar
JM_176957
Icon for Nimbostratus rankNimbostratus
Jul 11, 2017

ASM - disabling or unblocking attack signatures - on active blocking policy

Hi John, I have a query regarding disabling an attack signature on an active blocking policy. we have identified a few attack signatures in an ASM policy is generating false positive blocks in our environment. Although the signature(s) in itself is a valid one, in our environment (traffic between backend servers, yes the policy is protecting at tier two level) this not applicable in our case. Just to want to confirm that the right way to do this policy would be to 'Security ›› Application Security : Attack Signatures : Attack Signatures List" and filter signature id (eg.,200003098) and change properties? This is without using an irule, as my client does not want to use an irule and is fully aware of the fact that signature is turned off for the entire policy. Please advise me on any other approached you would recommend in similar scenarios. Many thanks, Jobi.

 

1 Reply

  • Hi Jobi,

     

    In ASM, you disable an Attack Signature by two ways :

     

    First way, is as you mentioned by doing it globally by editing the ASM policy from " Security ›› Application Security : Attack Signatures" then "Changes Properties"

     

    The second way (not always possible because it will depend on the attack signature itself), is to disable it from the specific entity for example on the "Parameter names" if you have checked your policy to check signature on Parameter Names or Values.

     

    Hope it helps

     

    Regards