Forum Discussion

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

ASM - Traffic Learning seems to be one way?

The ASM spectrum of transparent/learning/staging/blocking has been very problematic for me. It seems as if there are many hoops to jump through before traffic will be blocked, and quite often it won't block and I don't know why.

 

 

Correspondingly, I switched over to "Manual" Policy Building to get more control of the process. If I scan my site with a vulnerability scanner, I get two score signatures that show up under "Traffic Learning". My options appear to be:

 

 

 

Disable, Disable on parameters - If I understand correctly, this will tune the rule as a false positive.

 

Clear - This will remove the violation from the list, but it'll come right back the next time such traffic goes past.

 

 

 

There's no way to confirm, enable, affirm, whatever. I can't say "Yes, in fact, /WEB-INF/ is bad and don't ask to learn it because it's bad. Never going to be good. Not on the entry list. Make it go away and don't bother me about it."

 

 

 

I don't even know why they keep popping up because I unchecked 'Learn' from all of Policy->Blocking->Settings.

 

 

 

So, specific question: "Isn't there a way to say hey, that thing you were suspicious of, you were right, go to town on it?"

 

 

 

General question: "Any pointers for a holistic view of how the spectrum of learning to enforcing works with ASM?"

 

 

 

Any help appreciated!

 

 

 

Thanks,

 

Greg

 

 

 

P.S. My vuln scanner is Rapid7 and not supported for "Vulnerability Assessments," thus I'm "tuning" by hand.

 

  • Hi Greg,

     

     

    For some policy components (file types, URLs and flows), you can ignore individual learning suggestions:

     

     

     

    ASM | Policy Building | Ignored Entities

     

     

    This screen displays the number of ignored security policy entities for the current edited security policy selected.

     

     

    You can create an ignored entity by deleting file types, URLs, or flows from the Learning tables. The system ignores these deleted items and does not generate learning suggestions for them.

     

     

     

    You cannot currently disable learning for a specific attack signature. You should be able to disable learning suggestions for all signatures in a signature set though. If you wanted to tinker a bit, you could move the attack sig(s) you never want to get learning for into a separate attack sig set with learning disabled.

     

     

    The ASM config guide goes over policy building using the Learning tool:

     

     

    Manual Chapter: Refining the Security Policy Using Learning

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_learning.html

     

     

    Aaron