cancel
Showing results for 
Search instead for 
Did you mean: 

ASM - stopping induvidual learning sugestions

mm_pen_242283
Nimbostratus
Nimbostratus

Hi experts.

 

I noticed that even after the policy has been declared stable (turned into BLOCKING mode by admin), those blocked violations (seen in Event logs) are still being shown (with corresponding hits) in the Manual Traffic Learning section. What is the need for that behavior (since this violation is already confirmed as obvious > enforced) and how can one disable Learning for that specific signature.

 

Under Attack Signatures Configuration there is no option available for disabling "Learn" on particular signature only. Can this setting only be applied to set of signatures (e.g. Generic...).

 

To make the long story short; how do you stop individual violations showing in Manual Traffic Learning?

 

Thank you for your answers!

 

1 REPLY 1

nathe
Cirrocumulus
Cirrocumulus

mm_pen,

 

All violations have a blocking mask setting of Learn Alarm and Block. You can disable any of these to prevent them occuring for a violation. However, for top level violations, such as attack signature detected, it is one setting for all.

 

That being said if you've allowed a signature, or any other violation, in the policy then it should neither block nor learn. That bit doesn't make sense as you state the violation is allowed but you are still getting blocked.

 

N