Logging and identify the violations from staged signatures
I am trying to fix a signature update issue for ASM v12.1.0 here. Signatures are not updated from some time. I wanted to do this in a phase manner now. 1) Enabling signature staging for the policy, enable signature staging for updated/new signatures 2) Run a manual update 3) Get through the Enforcement Readiness period of 7 days 4) Check for any violations for staged signatures and enforce the new/updated signatures respectively. Regx point 4, will need some guidance on checking for any violation for staged signatures. We are sending logs to splunk and how do i identify from the log data, if the alert was on a staged signature. Pasting some log snippets below. 30/08/2018 11:07:54.000 Aug 30 11:07:54 xxxx.net.au ASM: f5_asm=Splunk-F5-ASM,attack_type="",date_time="2018-08-30 11:07:54",dest_ip=x.x.x.x,dest_port=xxxx,geo_info="US",http_class="/Common/VS_Test",ip_addr_intelli="N/A",ip_client=x.x.x.x,ip_route_domain="x.x.x.x%0",is_trunct=truncated,manage_ip_addr=x.x.x.x,method="POST",policy_apply_date="2018-05-31 10:08:09",policy_name="/Common/VS_Test",protocol="HTTP",query_str="",req_status="passed",resp_code="200",route_domain="0",session_id="4353fdsad4dd",severity="Informational",sig_ids="",sig_names="",src_port="27603",sub_violates="",support_id="17873574374868071705",unit_host="xxxxxxxxxxxxxxxx",uri="/abc/xyz",username="N/A",violate_details="44f3d1e143060702-000000000000000044f3d1e143060702-000000000000000044f3d1e143262702-0000000000000000000040c100240000-0000000000000000
attack signature updates
I am looking to settle a conversation I am currently having with a customer. he states that with the signature updates that the "enable staging" box must be checked for the policy and only the new updates will be in staging at that time not the entire policy( I'm referring to the actual policy page not the signature update page, I am sure that one goes into staging regardless) My understanding is that the signatures that were updated as well as any new sigs go directly into staging for seven days and that if you click "enable staging" on the policy, it puts the entire policy into staging and will not block anything? is this the case? is being in staging mode just nearly the same as transparent? any and all advice is appreciated, a step by step guide to safely implementing signature updates would be extremely helpful if someone had guidance on thissignature updates
I am curious as to how long newly input signatures as well as updates stay in staging after they have been downloaded. is this generally a formality and has minimal impact or are they heavy sig updates that must be monitored to ensure valid traffic is not blocked. F5 states that the updates go immediately to staging, but what is the period for this and how can I validate?