Enforcement Readiness Summary and HTTP Protocol Compliance
Hi, I can understand logic of info in this widget for most of the Entity types but can't figure out what is logic for mentioned type. After Enforcement Readiness Period passed my not triggered signatures are listed in Ready To Be Enforced column. However nothing is listed for HTTP Protocol Compliance. I am using Rapid Deployment policy building (Manual learning) with default settings (v13.1.0.7). Result of those settings is (in Learning and Blocking Settings) for HTTP protocol compliance failed section: Learn, Alarm, Block - checked (as listed for HTTP protocol compliance failed in Blocking Settings) 5 violations with Enable selected (I manually enable two more, originally only 3 are enabled) 11 with Learn checked In Enforcement Readiness Summary section such values are displayed: Learn New Entities: N/A Total: 19 (matches number of violations of this type on Learning and Blocking Settings) Not Enforced: 9 - can't figure how it's calculated. Learn enabled (11)-Enabled (5) not, Total (19) - Learn enabled (11) not, any idea? Not Enforced And Have Suggestions: N/A Ready To Be Enforced: 0 2 violations where triggered by request - at least when using filter on Traffic Learning page (Type: HTTP Protocol Compliance; Score: 0-100 - this filter returns 11 suggestions so it equals number of violations with Learn checked) only two has any requests than can be checked, rest just reports [number] requests triggered this suggestion instead of [number] sample requests out of [number] that triggered the suggestion - I assume that only suggestions with such info are based on actual request received. Question is why: Not Enforced And Have Suggestions: 0 - for me it should be 2 - actual requests triggered two violations and I have suggestions for that even if I marked those as Enabled after seeing suggestions (via Learning and Blocking Settings) *Ready To Be Enforced: N/A - why N/A, should be some number because another violations marked with learn were never triggered by any request. For me it should be at least 9-2 = 7 or rather 11-2 = 9 Example info in suggestions for not triggered violations is: * Action: Enable HTTP Check * Matched HTTP Check: Bad host header value Why Matched HTTP Check is listed when no request matched anything like that? Any help appreciated, Piotr
Logging and identify the violations from staged signatures
I am trying to fix a signature update issue for ASM v12.1.0 here. Signatures are not updated from some time. I wanted to do this in a phase manner now. 1) Enabling signature staging for the policy, enable signature staging for updated/new signatures 2) Run a manual update 3) Get through the Enforcement Readiness period of 7 days 4) Check for any violations for staged signatures and enforce the new/updated signatures respectively. Regx point 4, will need some guidance on checking for any violation for staged signatures. We are sending logs to splunk and how do i identify from the log data, if the alert was on a staged signature. Pasting some log snippets below. 30/08/2018 11:07:54.000 Aug 30 11:07:54 xxxx.net.au ASM: f5_asm=Splunk-F5-ASM,attack_type="",date_time="2018-08-30 11:07:54",dest_ip=x.x.x.x,dest_port=xxxx,geo_info="US",http_class="/Common/VS_Test",ip_addr_intelli="N/A",ip_client=x.x.x.x,ip_route_domain="x.x.x.x%0",is_trunct=truncated,manage_ip_addr=x.x.x.x,method="POST",policy_apply_date="2018-05-31 10:08:09",policy_name="/Common/VS_Test",protocol="HTTP",query_str="",req_status="passed",resp_code="200",route_domain="0",session_id="4353fdsad4dd",severity="Informational",sig_ids="",sig_names="",src_port="27603",sub_violates="",support_id="17873574374868071705",unit_host="xxxxxxxxxxxxxxxx",uri="/abc/xyz",username="N/A",violate_details="44f3d1e143060702-000000000000000044f3d1e143060702-000000000000000044f3d1e143262702-0000000000000000000040c100240000-0000000000000000
Enforcement Readiness Summary and HTTP Protocol Compliance
Hi, I can understand logic of info in this widget for most of the Entity types but can't figure out what is logic for mentioned type. After Enforcement Readiness Period passed my not triggered signatures are listed in Ready To Be Enforced column. However nothing is listed for HTTP Protocol Compliance. I am using Rapid Deployment policy building (Manual learning) with default settings (v13.1.0.7). Result of those settings is (in Learning and Blocking Settings) for HTTP protocol compliance failed section: Learn, Alarm, Block - checked (as listed for HTTP protocol compliance failed in Blocking Settings) 5 violations with Enable selected (I manually enable two more, originally only 3 are enabled) 11 with Learn checked In Enforcement Readiness Summary section such values are displayed: Learn New Entities: N/A Total: 19 (matches number of violations of this type on Learning and Blocking Settings) Not Enforced: 9 - can't figure how it's calculated. Learn enabled (11)-Enabled (5) not, Total (19) - Learn enabled (11) not, any idea? Not Enforced And Have Suggestions: N/A Ready To Be Enforced: 0 2 violations where triggered by request - at least when using filter on Traffic Learning page (Type: HTTP Protocol Compliance; Score: 0-100 - this filter returns 11 suggestions so it equals number of violations with Learn checked) only two has any requests than can be checked, rest just reports [number] requests triggered this suggestion instead of [number] sample requests out of [number] that triggered the suggestion - I assume that only suggestions with such info are based on actual request received. Question is why: Not Enforced And Have Suggestions: 0 - for me it should be 2 - actual requests triggered two violations and I have suggestions for that even if I marked those as Enabled after seeing suggestions (via Learning and Blocking Settings) *Ready To Be Enforced: N/A - why N/A, should be some number because another violations marked with learn were never triggered by any request. For me it should be at least 9-2 = 7 or rather 11-2 = 9 Example info in suggestions for not triggered violations is: * Action: Enable HTTP Check * Matched HTTP Check: Bad host header value Why Matched HTTP Check is listed when no request matched anything like that? Any help appreciated, Piotr