Forum Discussion
Nimbostratusstill confused on Explicit Entities Learning
I'm sorry to be so dense, Eric Novak, but maybe explaining it in our situation would help. We have the wildcard entity (*) defined for URLs and file types in our base policy for all apps. At some point in the future, we may tighten policy with more specific wildcards or explicit entities, but for now we want them learned for future use. For wildcard URLs, we likely would never go beyond 2nd level directories, probably not past the first level. Right now, we have Learn All Entities set and we have hundreds of learning suggestions with hundreds to thousands of occurrences of some entities. In the URL learning, for example, how would changing it to Selective or Never Learn change the amount of information presented in Traffic Learning?
As a side note, the reason we're looking at this is because attack signature learning is rolling off too quickly leaving us with all zeroes in the Recent Incident and Incident columns even if an attack sig violation occurred the previous day. We theorize that the learning suggestions for the wildcards is causing this info to roll-off even though they are still in local logs (we only log request violations).
natheCirrocumulus
cdjac0bsen - with Never entities are never learned so all URLs and File Types will match the wildcard and no learning entries will be identified.
With Selective - this is the half way house between Add all entities and Never. Basically, if a violation occurs on a file type and if you deem it to be a false positive, for example, ASM will learn the particular entity and recommend adding this to the policy and making the relevant policy change to allow the false positive. This could be allowing or disallowing a metacharacter, for example. This saves you loosening the policy on the wildcard. So you get less learning entries for selective.
Hope this helps,
N
- Erik_Novak
Employee
Sorry about the delayed response! So "Add All Entities" (which is called "Always" in v13), will result in a learning suggestion for every entity for which a request has been detected in traffic. This means you will see a suggestion to add a URL or other entity explicitly, which means "by name" to your policy. The problem as you've stated is that this can cause quite a bit of work. So we invented "Selective." This means you will not see a suggestion to add an entity explicitly if a request for it has been detected in traffic--unless the request differs from the attributes or violation types that are specified for said entity in its wildcard. My guess is that the number of learning suggestions you will see for URLs using Selective learning mode will be far less than if using Add All Entities. The trick is to make sure that the attributes/violations for the URL wildcard are general enough that they are sensible for all of the URLs in your application. So, when a request for a URL is much different than what is in your wildcard (thus making that URL an outlier), you should see a learning suggestion to add that one, weird URL explicitly to your policy. You can speed up the process by adding URLs you know you don't want clients to access to the disallowed URLs list.
- Erik_Novak
Well, the suggestion will be to add the URL by name, regardless of which learning method you use. So it's the "same" suggestion either way. The real question is when you would see the suggestion and why it triggered. Take a look at the violations for URLs on your blocking settings page--they apply to the wildcard as well.