Automatic Policy Building (APB)

Hi Ido

 

I tried the below in the login box

 

$username = 1' or '1' = '1

 

$password = 1' or '1' = '1

 

 

The violation was detected , I chose to learn the SQL-injection then tested again on the website and was not blocked.

 

I then went to Attack Signatures > Policy Signatures > Overrides on Parameters : Signatures with Overrides : I see the signature "SQL-INJ expressions like "or 1=1" (3)" ID= 200002147

 

 

I selected the yellow light bulb next to signature name then deleted the parameter names in the list.

 

Attempted the same injection with the login box and was not blocked.

 

I confirmed the signature is set to : Learn (Yes), Alarm (Yes) and Block (Yes) under Attack Signatures > Policy Signatures.

 

 

What am I missing?

 

 

For point 2:

 

My policy is set as follows:

 

Enforcement mode = Block

 

Staging-Tightening Period = 7 Days (This is where the new URL's, parameters etc will be learnt ?)

 

Enable Signature Staging = Not selected

 

 

Is manual policy building not an "always on" feature that will report back ?

 

I do use it.