Forum Discussion
BlackBolt_22590
Nimbostratus
NimbostratusSome questions about ASM module from a beginner
Hello Everyone,
My company recently bought some ASM licences for our F5 Big IP and i'm in charge of defining the security policies but I have no experience in it so far and a read only accoun...
BlackBolt_22590Nimbostratus
NimbostratusHello all,
So I finally was able to perform some tests on a lab on VMWare Workstation on a lab with Hack-it-yourself PHP. I reproduced one attack to see the behavior of both policy construction (automatic and manual): . Here are the scenario for both construction mod after creation :
Manual:
Signature stagging : enabled
Renforcement Mod: Blocking
Learn Alarm Block checked for 3
ERP: 7 Days
Automatic:
Signature stagging : enabled
Renforcement Mod: Blocking
Learn Alarm Block checked for 3.
Policy Builder Enabled
ERP: 7 Days
Policy mod : Comprehensive
When I uncheck "signature stagging" on manual policy, the script is blocked right away but when i do it with the automatic policy, it doesn't block it and i can't figure out what prevent me to block it. My guess is the policy builder but when i disable it, it still doesnt block my script request so someone can explain to me the behaviour of a automatic policy, the policy builder and the policy mod. this is the kind of log i have with automatic policy:
https://puu.sh/vMtRL/0ba67eb302.png
Also where do you decide if this specific request is a false positive?
If I understand it correctly, this is where you decide if a signature is a false positive (screenshot below) but where do you precise request and request coming from a specific IP is safe?
https://puu.sh/vMu3R/aa50bc2da4.png
Another "strange" behaviour i have, as you can see i have signature stagging enabled and my policy in blocking mod. Doesnt the security policy suppose to not block the traffic that triggered some signature and just report them where i decide afterward if i block them or not? I'm asking you that because my policy still keep blocking the traffic that triggers the signature :
https://puu.sh/vMubP/996be50a7e.png
Leonardo_Souza
Cirrocumulus
CirrocumulusAnswering the first question, you have to enforce the entities learned by the policy builder. Answering the second question, you can decide what to do with the learn suggestions, include ignoring. Answering the third question, in the ip address exceptions. Answering the last question, blocking mode in the policy is the general behavior, a signature can still been in staging or have been removed already from staging. That setting is just to say if you do stage signatures or not, but does not tell if a signature still in stage or not.