Forum Discussion

Mister_C's avatar
Mister_C
Icon for Nimbostratus rankNimbostratus
Sep 09, 2015

Disable an attack signature

I'm in need of a solution that will allow me to disable specific attack signature (200003031) per WAF policy without impacting the remaining WAF policies that utilize attack signature: 200003031.

 

Also the current WAF policy is currently set to NOT block for "ASM Cookie Hijacking". Its only set to LEARN and ALERT.

 

Not sure why the support ID revealed that attack signature 200003031 was violated (if blocking was NOT checked).

 

Any help and or explanation on this would be greatly appreciated.

 

3 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    Mister C,

     

    If, within the GUI you can disable Attack Signatures from the policy itself, and this won't affect other policies that have the signature in its database. Open your policy and go to Application Security - Attack Signatures - Attack Signatures list. Search for the signature and click on it. Uncheck the Enabled box. Apply Policy.

     

    On a seperate note, an Attack signature being triggered is different from other violations, say ASM cookie highjacking. Both violation types have their own Learn, alarm and blocking settings.

     

    Hope this helps,

     

    N

     

  • Thanks.

     

    I disabled the signature earlier this morning and all seems to be working without impacting the other policies.

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Good news. thanks for updating the post