Forum Discussion
CirrusIgnore value versus Apply content signatures
Hello,
Facing unknown content blocked by ASM, i would like to compare 2 options to set an exception.
First one : Set the Content-type header and set Request Body Handling with "Apply content signatures" or "Apply value and content signatures".
Second one : Set the Parameter value type to "Ignore Value" on the URL level wildcard parameter.
Reading the help information is giving different information.
"Apply value and content signatures" => scans content for value and full-content attack signatures without attempting to parse it or extract parameters.
"Ignore Value" => the system does not perform validity checks on the value of the parameter. Regarding signatures, the system does not perform parameter-based signature checks on the value of this parameter.
any though is much welcome.
Regards
Aurel
2 Replies
- Samir
MVP
It depends on type of application hosted on ASM. But ignore value (2nd option) will be better then first one.
Best way go through traffic learning event logs and analyze it.
AurelHi,
thanks for your comment. But can you elaborate on why "ignore value" would be the best option ?
Trying to count "Parameter based" signatures, i am getting the 1/3 ratio versus all signatures. Meaning that removing them would remove around 1/3 of the attack signatures.
I can't unfortunately identify what is called "Content signatures" to compare any proportion, and mostly to conclude about each security tradeoff more accurate score.
