Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Aug 30, 2018

ASM - Understanding why "Attack Signature Detected" did not block the access

Env: LTM 11.5.2; Context: Web application

 

We have an ASM security policy configured and applied to a VIP; the policy is in blocking mode, not transparent; all signatures have "Enforced" = "Yes". Policy Building is off for the policy.

 

Under those circumstances, if the WAF detects an attack signature, why would it not block the request? See attached picture - in our Event Log, we have many many accesses that were allowed, but for which it noted an attack signature detected, and offers to learn it. I thought by explicitly enabling the signatures, and not being in policy building mode, it would be enforced -- no?

 

What steps can we take to ensure that all signatures are enforced in a way that blocks accesses?

 

 

Thank you.

 

application delivery
ASM Advanced WAF
enforce signature
security
  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Aug 30, 2018

    Does it ignore the "Block" setting if "Learn" is also yes? That seems counter-intuitive - if I say i want it blocked, i want it blocked, no ifs/ands/buts. ??

     

  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Aug 31, 2018

    Hmm ... I may have figured it out. Our screen at "Security ›› Application Security : Attack Signatures : Attack Signatures Configuration" appears as follows:

     

     

    Does that mean that all the signatures not in those two assigned signature sets will not be enforced? And to enforce them immediately (e.g. for the SQL injection set), i move the set to the list and make sure "Block" is checked? I don't want to turn off signature staging (because it would affect new signatures from updates, i would think - for which I DO want a staging interval) - once i've tested, how do I immediately move the newly added signatures from staging to "active"?

     

    thx

     

  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Aug 31, 2018

    Could you check the following ?

     

    • Go to Application Security : Attack Signatures : Attack Signatures List

    Make sure that the "Block" and "Enabled" flags of the signatures are set to "Yes".

     

    • Go to Application Security : Policy Building : Enforcement Readiness

    Make sure all signatures are enforced.