Forum Discussion

ScottA_6475's avatar
ScottA_6475
Icon for Nimbostratus rankNimbostratus
Feb 08, 2012

Selective Blocking on Attack Signatures

I am using 10.2. I have a few Attack Signatures that I want to turn on in blocking mode. I have a few other Attack Signatures that have way too many false positives - I want to keep these in Alarm mode only. How can this be done?

 

 

Thanks,

 

Scott

 

app sec
BIG-IP Access Policy Manager (APM)
security
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 08, 2012
    just wondering if staging false alarm signature but enabling others works.
  • ScottA_6475's avatar
    ScottA_6475
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2012
    I think I still have the same problem. For the attack signatures - it looks like all have to be in staging or out of staging. I can't select which Attack Signatures are in staging and which ones are not.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 08, 2012
    I can't select which Attack Signatures are in staging and which ones are not.have you tried to enforce some attack signature while others are in staging at application security > attack signatures > policy attack signatures?
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2012
    Scott,

     

    Nitass is right when you go into the Attack Signature staging and see which signatures have tripped and which ones have not, you can check the box next to the signatures you wish to enforce and then select enforce signatures. The signatures that you do not select will remain in staging, so you should be able to see the alerts for them but not have blocking.