Forum Discussion

tiwang's avatar
tiwang
Icon for Nimbostratus rankNimbostratus
Jun 14, 2013

Enforce Attack Signature in ASM

Hi out there

 

I have a problem which might be pretty simple - and probably caused by insufficent knowledge of the system - but - I have a couple of F5's where I have had a security policy running now for a week in the automatic policy building mode and now I wnat to enforce the suggestions. There is f.ex a signature of type SQL Inject which I want to enforce immidiately. When I go into the "Attack signaturs detect I can select the signture to the left and on the right in action I have the possibility to either "Disable on parameters" or "Disable" - and the online help page isn't to much help here ( or maybe it is because as far as I can see there is that on this page I can disable the attack signature - but nothing mentioned about enforcing it?)

 

Am I completely wrong here - If I want to immediately enforce a given set of signatures - how is this done?

 

 

besst regards /ti

 

config
design

2 Replies

Sort By
  • Martijn_65080's avatar
    Martijn_65080
    Icon for Cirrus rankCirrus
    Aug 19, 2013

    I think the Signature is already enforced when you have the policy set to blocking.

     

    The page you mention allows you to disable the Sig or disable the Sig on parameters, but actually says that traffic hitting the signature has already been detected. This is probably so due to the fact the policy is still in learning/staging mode and ASM will allow you to change the settings for signatures that have already been detected.

     

    So depending on the policy being set to blocking or transparant this sig will be blocked already.

     

    Regards,

     

    Martijn

     

  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Mar 25, 2014

    If you select "Disable on parameters" or even "Disable" then you will be disabling the attack signature for either that specific parameter or the entire security policy. So, if you want to enforce the attack signatures, then you should not select the "Disable" option. Also, don't forget that you need to make sure the Blocking Settings are configured to "block" on the "Attack Signature Detected" setting. You can check all the Blocking Settings by going to Security >> Application Security >> Blocking >> Settings. One last thing...the attack signatures cannot be in Signature Staging if you want them to block. Even if you check the "block" option, they won't block if they are in Staging mode.