The BIG-IP Application Security Manager Part 8: Data Guard
This is the eighth article in a 10-part series on the BIG-IP Application Security Manager (ASM). The first seven articles in this series are:
What is the BIG-IP ASM? Policy Building The Importa...
Published Dec 06, 2013
Version 1.0
Great question. If you "learn" a violation against an attack signature, the signature should be disabled against the specific parameter or URL that caused the violation...and it won't affect other parameters or URLs in your security policy.
For example, if I see an "attack signature detected" violation against parameter "username" then I can "learn" that violation for that specific parameter. So, if the ASM detected signature 200002147 (a SQL injection) against parameter "username" and then I learn that attack signature against that parameter, the attack signature will be disabled for that parameter only. All other parameters and URLs will still trigger that specific attack signature.
That said, there are some attack signatures that are not parameter or URL based. They are global attack signatures that are not associated with a specific URL or parameter. If you "learn" one of these signatures, then it will be disabled for your entire security policy. The best way to determine if a signature is parameter-based or global is to click the "learn" button next to the attack signature violation and it will take you to a screen that lists all the signatures associated with that violation. You can click the down arrow (show/hide parameters) next to each signature and it will list the details for that signature. If the detailed list includes a specific parameter, then the signature is parameter based and not global. If it does not, it's a global parameter.
I hope this helps. Let me know if you need anything else!
John