I am using 10.2. I have a few Attack Signatures that I want to turn on in blocking mode. I have a few other Attack Signatures that have way too many false positives - I want to keep these in Alarm mode only. How can this be done?
I think I still have the same problem. For the attack signatures - it looks like all have to be in staging or out of staging. I can't select which Attack Signatures are in staging and which ones are not.
I can't select which Attack Signatures are in staging and which ones are not.have you tried to enforce some attack signature while others are in staging at application security > attack signatures > policy attack signatures?
Nitass is right when you go into the Attack Signature staging and see which signatures have tripped and which ones have not, you can check the box next to the signatures you wish to enforce and then select enforce signatures. The signatures that you do not select will remain in staging, so you should be able to see the alerts for them but not have blocking.