Forum Discussion
AltostratusASM logging potential attacks signatures
Hi, Is it possible to log potential attacks signatures in the event log instead of "manual traffic learn"? The environment is set up to release all traffic and only blocking known specific attacks. I wanna this to avoid false positive. But the potential attacks have been recorded only in "manual traffic learn" and not alarming in request event log.
2 Replies
samstepCirrocumulus
- make sure your attack signatures are Enforced (not in Staging)
- Make sure that "Alarm" flag is set on the "Attack Signature Detected" violation - it looks like you only have "Learn" enabled
cjuniorNacreous
First thanks. Yes, the staging was disabled. The alarm and the block was flagged. If I don't mark the learn checkbox, nothing occurs then. The problem is the way that the customer needs to use the ASM. He need to block the specific points and just alarm another possible vulnerable points, coming from matched wildcard to prevent false positives and stop the application. In my vision, the concept of ASM was made to protect everything and not sometimes, but the customer needs to protect sometimes and always trigger alarm. For while, my solution was to make two policies: the first blocking attacks (such parameters, cookies, etc) and the second policy to alarm at all and this will be selected by an Local Traffic Policy to select the appropriate ASM policy. But this solve 90% once the blocking policy not trigger alarms.
