Forum Discussion
AltostratusLearning option for attack signatures
Hi;
Under Application Security> Blocking > settings, why is there a learning flag option for Attack Signatures. I mean what is there to be learnt since attack signatures are knows through the Attack Signature file downloaded from F5.
Kindly Wasfi
4 Replies
natheCirrocumulus
Wasfi, by enabling the Learn flag it means any violations of an attack signature will generate a log in Manual Traffic Learning. That way you can more easily identify any false positives and make the necessary policy changes.
Without Learning then you only have the violation logs in Requests and you have to unpick the reason for the violation manually.
Hope this helps,
N
- nolipinedaGives us the option to learn and have the ability to stage application behaviour against known signatures?
refra_151287Cirrus
If you got blocked at the blocking mode regarding specific attack signature, this option will put this attack signature at the manual traffic learning page, and see if it's a false positive attack you can learn it, so ASM will not block it again.
Wasfi_182818Thank you Refra. Although you don't event need to be in blocking mode for the signature to show under manual traffic learning. You could be in transparent mode and it will show under manual traffic learning. You need to be outside the enforcement readiness period.
