Forum Discussion
Reza_76713
Nimbostratus
NimbostratusLearn, Alarm, Block settings filer based
Hi, pls see attachment, is there any way to change notification messages based on filter separately?
I like to have some filters only to block, others block and alarm!
Thx
hoolioCirrostratus
I think the most specific that you can get for the learn/alarm/block settings is to set these options on the Attack Signature Sets level.
Aaron- Have you tried to use the staging to do that?
Any signatures that is within the "staging basket" will only create alarms, signatures which are out the staging basket, will alarm and block. - It should solve this use case, sounds to me like a miss configuration, I suggest to open a support case.
Cheers,
Ido 
naladar_65658Altostratus
If you are trying to configure a search filter you can do that by going to Policy > Attack Signatures. Then click "Policy Attack Signatures" on the top menu. Select the web application policy you are wanting to use and click go. After the screen reloads then go to the Learn, Alarm and Block settings and modify those to match the filter you are wanting to create. Then click save filter.
If you are wanting to set certain attack signature sets to Alarm and Block or just to Block, go to Policy > Attack Signatures. You will then be on the attack Signature Sets page. In the Assigned Signature Sets box you can toggle Learn, Alarm and Block off for each set name. I do not know if it is possible to toggle those on individual attack signatures.
Reza_76713Hey, Thx but I am trying to toggle those on individual attack signatures.
brad_11480Have a need to do this as well-- to remove the blocking of a specific signature so that the site will work while continuing to Alarm and Learn to allow us a chance to look into why this is a problem and to correct it. Without the Alarm we don't know if it is fixed and we don't know about events that are occuring that are also triggered on this.
1. How to remove a block on an individual signature and allow it to continue to learn and alarm.
2. If that is the same as what happens when a signature is in Staging, great! So then how do you put this signature into Staging (again)?
3. Alternative might be an approach of custom signature sets. Is that possible?- mister_paul_717Same story here. I've created multiple custom Signature Sets to do exactly this. Iit works, but I've found working with them to be terribly clumsy. I've created a bunch of Requests for Enhancements around signature sets, including:
* Fix the fact that signature names are cut off when editing the contents of a signature set, making it often impossible to distinguish between signatures (CR130792)
* Fix the sortiing of signature names when editing the contents of a signature set (the sort order changes from case insensitive to case sensitive when you add or remove a signature)
* Create a tool that provides a mechanism to easily move signatures from one set to another and to compare signature sets
* Provide the ability to export and import signature sets (this is a huge issue if you use signature sets and have multiple environments, eg dev, test, prod)
I would really like to see the custom (manual) Signature Sets become more usable. - hoolioHi Paul,
Thanks for the info. I'll add a few cases to the RFE's you've posted.
I opened a case a while ago asking F5 to provide better handling of the fact that the ASM attack signatures aren't included in the policy. The result of this is that customers who have multiple environments have to jump through a lot of extra hoops to ensure the attack sigs are standard across each environment. The CR was CR109139 or CR109140 (two related CR's from the same case).
Can you post the RFE CR you received for this for the fourth item in your list?
Thanks,
Aaron
