Forum Discussion
ghost-rider_124
Nimbostratus
NimbostratusASM Learning Fine Tuning (illegal meta characters in value)
Hello Experts
My ASM policy is in transparent mode and configured as manually that is through wildcards for URL, Parameters and file types.
I am getting violations "illegal meta characters in value". Attached is snapshot.
1- How to fine tune this? 2- If I accept learning suggestions, these illegal meta characters would be accepted for wildcard parameters or particular learned parameters? Because in violations, it is not mentioning "which parameter" got "illegal meta character in value" 3- What does it means "Disallowed" and "Allowed"? 4- Also if I go to meta character settings under any particular learned parameter or wildcard parameter, there is something Global policy settings for meta character, From where this settings came?
Regards,
GR
Hi,
- You must decide wich meta characters is allowed for the parameters.
- If you accept suggestion for wildcard parameters illegal meta characters would be accepted for all parameters but not for particular learned parameters.
- Allowed: Specifies that the character or meta character can occur in parameter values. Disallowed: Specifies that the character or meta character can not occur in parameter values.
- This settings came from /Security/Application Security/Parameters/Characters Sets
Vitaliy_SavransNacreous
Hi,
- You must decide wich meta characters is allowed for the parameters.
- If you accept suggestion for wildcard parameters illegal meta characters would be accepted for all parameters but not for particular learned parameters.
- Allowed: Specifies that the character or meta character can occur in parameter values. Disallowed: Specifies that the character or meta character can not occur in parameter values.
- This settings came from /Security/Application Security/Parameters/Characters Sets
ghost-rider_124Hi vitaliy
Thanks for reply.
For point 2, It means ASM will not give you insight which parameter got this violation (illegal meta character in value). If I want to accept this violation only for a particular parameter, how I can do that? Attached is snapshot
Appreciated your reply
- Vitaliy_Savrans
Do you have any records about violation?
Security ›› Application Security : Policy Building : Violations on Entities : Violations on Parameters
- ghost-rider_124Yes I have it but all showing in wildcard (*)
- ghost-rider_124What I can do now?
- Vitaliy_Savrans
you can accept learning suggestion, if you don't see parameter name. I had the same issue and didn't find the way how to get parameter name wich had violation from logs.
- ghost-rider_124Thanks Vitaliy. So it means if I accept this then it will be accepted under wildcard parameter? In case if it is showing the parameter name then what I need to do? Appreciated your reply
- Vitaliy_SavransYes, it will be accepted under wildcard parameter. If it's showing the parameter name you can accept learning suggestion and it will work only for that parameter.
- ghost-rider_124Hi Vitaliy Thanks for your assistance. The last question is in the attached snapshot, what is the action? 1- Allow on entities 2- Allow in parameter value/JSON content/XML content character sets
- Vitaliy_Savrans
Hi,
"Allow in parameter value and XML/JSON content character sets" mean if you select this and accept, the system allows this meta character in the security policy’s parameter value character set, XML content character set, JSON content character set.
If you choose "Allow on entities" system allows this meta character only for parameter value that you select.
- MSZ
If we want to allow some character then we must unblock the "illegal meta character in value" from Blocking --> Setting --> Input violation.
Please suggest.
SIEM_281457I am also getting the same logs in SIEM solution..."Illegal meta character in value" However the device custom string is "filenetservice" and in some case its Exchange asm policy. please suggest me how to finetune this alert.