If you select "Disable on parameters" or even "Disable" then you will be disabling the attack signature for either that specific parameter or the entire security policy. So, if you want to enforce the attack signatures, then you should not select the "Disable" option. Also, don't forget that you need to make sure the Blocking Settings are configured to "block" on the "Attack Signature Detected" setting. You can check all the Blocking Settings by going to Security >> Application Security >> Blocking >> Settings. One last thing...the attack signatures cannot be in Signature Staging if you want them to block. Even if you check the "block" option, they won't block if they are in Staging mode.