Forum Discussion
THE_BLUE
Cirrostratus
Cirrostratusmodified domain cookies
i got many block with a violation of modified domain cookies with reasen " new cookie" . I noticed that if the cookies in enforced list and been changed i will face modified domain cookies.
so do i have to move this cookies to allowd list? or remove the block from settings? is there is any risk? or there is another violation will catch if sth illegal happen?
how to know if it is false positive or not? note that, i'm not the owner of the secured application
how to know if it is false positive or not? note that, i'm not the owner of the secured application
Thats the worst condition to maintain an security policy. But I feel you. Since we have the same situation at our DC. Without having a clue whats going on at the application you should not enforce the cookies or other settings like parameter. Cause u dont know what cookie/parameter is correct, how often there will be a change and so on.
You have two choices.
A) Get in touch with the application devs and set up all together (parameter, cookies, urls, etc) then u have a good secured policy
B) Go with wildcard for parameter, url and cookies, etc. dont learn them just accept them and only do attack signatures of them.
- P_Kueppers
MVP
how to know if it is false positive or not? note that, i'm not the owner of the secured application
Thats the worst condition to maintain an security policy. But I feel you. Since we have the same situation at our DC. Without having a clue whats going on at the application you should not enforce the cookies or other settings like parameter. Cause u dont know what cookie/parameter is correct, how often there will be a change and so on.
You have two choices.
A) Get in touch with the application devs and set up all together (parameter, cookies, urls, etc) then u have a good secured policy
B) Go with wildcard for parameter, url and cookies, etc. dont learn them just accept them and only do attack signatures of them.