Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

ASM Policy Builder..

Mr__Katic_15215
Altocumulus
Altocumulus

Hi Everyone,

 

I am setting up and tunning ASM policy for one application. When i generate SQL injection attack on purpose it is detected on ASM, rated as risk 5, listed in Violations but still rated as legal request and not listed under illegal requests. My policy is on comprehensive level, in blocking mode. Same when i try to trigger response on XSS activity. Generally, almost none of risk rated (1-5) requests are blocked and i have put my policy in blocking mode. Less then 1% of suspicious requests are blocked and listed as illegal requests in Event Log. I am little bit confused with this and need some clarification. If i click learn on each false positive and the accept it, will that make policy treat this type of request legal in future or only this request from that IP in that moment? If status is legal for request in event log but there is risk 1 or 2 if i ignore it and don't do anything i can assume production policy will ALLOW this TYPE of request in future, no need to click learn + accept on each false positive? How can i say to policy builder that some request listed as legal is actually illegal and i want it to block, i only see accept button not option for blocking this type of request in future?

 

Sorry for bunch of Qs, first policy of mine...

 

Thank You

 

3 REPLIES 3

mimlo_61970
Cumulonimbus
Cumulonimbus

To answer one question:

 

"If i click learn on each false positive and the accept it, will that make policy treat this type of request legal in future or only this request from that IP in that moment?"

 

The policy will treat the request as legal going forward for all requests. Sometimes there is some scope on this action, like "disable on parameters" which would only disable it if matched on a parameter(but not a header, or uri) Also if you have specific parameters/url's defined it can be applied to only those, and not to everything(wildcard parameter if it exists)

 

nathe
Cirrocumulus
Cirrocumulus

Yes. Items in staging are classed as legal. At the end of the enforcement period either accept the false positives or not and enforce the other items e.g. attack signatures. These will now trigger illegal requests. N

 

Ndlovumm
Cirrus
Cirrus

I think the best way to protect against sql injection and xss is by creating a Rapid Deployment policy instead of comprehensive nor fundamental. I have been busy with ASM labs and found out that the Rapid deployment template protects against such attacks from the go, you can then tune the policy to suit your requirements. But the best way is by using the rapid deployment template