Forum Discussion

Aurel's avatar
Aurel
Icon for Cirrus rankCirrus
Dec 18, 2019

Ignore value versus Apply content signatures

Hello,

Facing unknown content blocked by ASM, i would like to compare 2 options to set an exception.

 

First one : Set the Content-type header and set Request Body Handling with "Apply content signatures" or "Apply value and content signatures".

 

Second one : Set the Parameter value type to "Ignore Value" on the URL level wildcard parameter.

Reading the help information is giving different information.

 

"Apply value and content signatures" => scans content for value and full-content attack signatures without attempting to parse it or extract parameters.

 

"Ignore Value" => the system does not perform validity checks on the value of the parameter. Regarding signatures, the system does not perform parameter-based signature checks on the value of this parameter.

 

any though is much welcome.

Regards

Aurel

ASM Advanced WAF
security

2 Replies

Sort By
  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Feb 16, 2020

    It depends on type of application hosted on ASM. But ignore value (2nd option) will be better then first one.

    Best way go through traffic learning event logs​ and analyze it.

    • Aurel's avatar
      Aurel
      Icon for Cirrus rankCirrus
      Mar 03, 2020

      Hi,

      thanks for your comment. But can you elaborate on why "ignore value" would be the best option ?

      Trying to count "Parameter based" signatures, i am getting the 1/3 ratio versus all signatures. Meaning that removing them would remove around 1/3 of the attack signatures.

      I can't unfortunately identify what is called "Content signatures" to compare any proportion, and mostly to conclude about each security tradeoff more accurate score.