ASM IP Exceptions

Hello Crowe,

Image is not available...

If these are different IP addresses, but from the same subnet, then you can just add this subnet into Application Security : IP Addresses : IP Address Exceptions and Ignore IP Intelligence for it.

If these are totally different IP addresses, but all of them are valid - it sounds strange for me, but in this case you can disable the whole category, to not add them one by one as exception via learning.

If both case aren't good for you, then yes - proceed through the learning.

Thanks, Ivan

It is strange indeed as it is always different public IP addresses being blocked, that is why we have ended up with three pages of /32 addresses in the IP exceptions list. Yesterday was the first day in two weeks since I have received a block, I'll give it more time to see if they are consistently the same category. Thank you.

The image was just the details of what I'm seeing in ASM logs regarding the latest block.

Unfortuantely, the false positives are coming in under different categories. I just got a new one that is "Windows Exploits - Scanners".

Yes, it really looks strange...

1. Are you sure that all detected malicious IP are false-positive?
2. Do you have any malicious IP, which is blocked correctly?
3. Why it was suggested to enable malicious IP detection? What was the reason?

If there was no exact reason and you didn't get any real malicious IP for a long time, then I suggest to disable Block flag per violation (leave Alarm flag enabled for monitoring) or at least disable Block flag for each category, which provides false-positive.

Thanks, Ivan

1. The IPs being blocked are in fact showing reputations so I guess I would have to say they are being blocked appropriately if I thought about it. I say they are valid connections because its one of our consultants emailing that they are being blocked. We have over 60k consultants though, so, maybe its the case that when it was setup, malicious detection should not have been enabled.

2. As stated above, they are flagged by bright cloud so they are actually being blocked correctly according to our policy.

3. No one is left that was involved, the only thing I am aware of is we were having trouble with bots and sql injections attempts. I am not aware that we needed the malicious setting enabled, I was just trying to leave as much security in place as I could but make it work the best way possible.

With that. said, I am going to disable the malicious blocking and see how things go. I am new to ASM and I wasn't aware how much learning/tweaking is really possible if bright cloud is detecting an issue...

If I leave the malicious blocking disabled, what is the best method or view in ASM to monitor to know if its becoming an actual issue in the future?

Thank you again in advance for walking through this, it was handed to me by default and I am working on getting into some ASM training to help make sure things are correct.

Thanks you, that is what I have done.