Forum Discussion
Altocumulushelp -best option about parameter learning!!
hello I have a question regarding the learning of the parameters, which would be the best method to use in an implementation never, always, selective, I think that by discarding never is not the best option, my doubt is whether to use always or selective, if I use I will always learn all the parameters that you send in the requests, it is recommended that you learn all the parameters by strain, I understand that if I know how well the policy could eliminate the willcard? , or use select since you only learn the parameters that exceed the willcard, how to define the properties of the willcard so as not to suffer an overflow attack?
Yoann_Le_Corvi1Cumulonimbus
Hi
The short answer is (unfortunately) : it depends ! :)
It depends how strict you want to be on the policy, and how much time you have available for the job.
Always : once policy is stabilized, wildcard is removed any parameter not in the list will be blocked.
Selective : wilcard remains, paramters are allowed, but if you have to relax a setting (e.g. disable an attack signature) this will be applied only to the relevant parameter and not to all of them
Never : wildcard remain, and if you relax a setting (e.g. disable an attack signature) this will be applied to the wildcard, i.e. all parameters.
So no real "rule" unfortunately.
Hope this helps in the reflexion ?
Yoann