NimbostratusFirst time ASM set up on web site, thousands of suggestions.
Web person here, working with our Network staff to set up the ASM.
We are setting up ASM for the first time on our web site. It has a million'ish hits a month or so. We enabled learning mode, and it 'flagged' (or whatever the term is) basically every single web call to the server. Do we really need to manually click through each of them and hit 'Accept Suggestion'?
The first time we tried it, every URL like , etc.. with valueX being 10,000+ different values, was flagged as something we needed to accept or reject. The network staff reduced this volume using wildcards in place of the valueX. But still, we are left with about 1,000+ suggestions.
And those suggestions are so basic to how the web works, I'm just very confused why the system is designed this way. For instance, it wants me to approve or deny .html files.... on a web server. Same with .css, .js. etc.
I was under the assumption that when we created the Policy, and 'configured attack signatures', selecting the web server type, the database type, the languages used, etc.. that the learning mode would understand that this is a web server of type X, and default allow many of the simple things, like serving a css file.
I'm I missing the theory behind what is happening here? Did we do something incorrect in the setup? Because right now, it feels like it will be close to impossible to manage this in a dynamic environment with code/files changing all the time. Not to mention the initial setup of having to accept thousands of items.
