Forum Discussion
CirrostratusASM is not giving learning suggestions in v13.1
Hi
I am testing this out for a scenario where learning is not happening.
I am using the lab auction site now :
The description parameter is not added to the parameters list and wildcard is set to staging, and yet asm does not learn anything for this parameter.
The learning mode is selective.
natheCirrocumulus
DavidMas,
I think you're saying that you don't see an Illegal Parameter violation so cannot learn, hence add, this parameter to the policy in the Learning Suggestions? Pls advise if I have misunderstood this.
As there is a wildcard parameter you won't get this violation, as there is a wildcard parameter. Instead, if you click on Accept Request then it will add the Description parameter and then amend the parameter length on this newly added parameter. At least that is what I would expect.
This may help.
N
David_MI think I did mix it up What I meant was I could not see any recommendations for the parameter in traffic learning. Which I think should be there since the mode chosen is selective and the attributes of description parameter are different from the wildcard. So that's what I'm expecting..!
- nathe
I don't think you will. It'll only get added as part of the Selective configuration on the wildcard in order to allow a greater URL length. Learning is only for violations and there is no illegal parameter violation, only a length violation.
HTH
- David_M
Yes I was not getting even that.
Now i checked the length on the wildcard and it was any, so i made it 10 and now it works fine.
It needs the description parameter to be diff from the WC, so its alright now i guess.
This was just a test though.
The real case I have is where the learning is not showing up for XSS signature attack, it shows up in events logs but not in learning.
- David_M
So even for a illegal length violation to show up as learning I should have the wildcard set to staging right. And then anything which breaks the "boundaries" of wildcard will show up as learning suggestions..?
- nathe
Nope, doesn't need to be in Staging. Staging means it essentially won't block if the policy is in Blocking mode, this is whilst ASM learns the entities properties. Learn is a flag against a violation type, irrespective of whether the policy is in Transparent or Blocking mode.
- David_M
Hi Nathe,
I am referring to this from the guide:
Selective mode offers intermediate protection between Never (Wildcard Only) and Add All Entities. Selective mode will suggest the addition of explicit entities to the policy if their attributes are higher ( or different) from attribute values specified in the wildcard.
This provides application owners with the flexibility to expand a policy if there are irregular entities that need precise protection measurements. In other words, Selective mode is suitable for applications containing entities which use similar or identical attributes.
But if some the entities need special handling, the policy can be expanded to include exceptional explicit entities just for those outliers. New entities that are created from accepting Selective based learning suggestions are created with their Staging checkbox enabled, so they can continue learning attributes that are specific only for this new inexplicit entity.
- nathe
Yes, that makes sense. Selective will only add new entities if they violate a property of the wildcard and these new entities will have staging on them so as to learn new properties. I'm happy with how the guide suggests it should work.
- David_M
Yes so based on this my initial question I should get learning suggestions, right?