Forum Discussion
Dave_S_183930
Nimbostratus
NimbostratusASM Signature Blocking, but not Enabled?
So I get a user ticket that says the user was blocked on the Application dir Access (\manage) signature. When I go to disable this attack signature on the parameter, it's not listed in the Global Security Policy Settings....So after some investigation I went to Manual Traffic Learning and found this signature listed, but not enforced yet...
So my question is how did this user get blocked on a signature that hadn't been enforced or enabled yet? Granted the Policy itself is in Blocking Mode....???
Another Question is why did this signature not appear in the Global Security Policy Settings..??
Dave_S_183930Yes I was able to disable it on the policy. So I think we are good. So it was because the attack signature was a URI based one....that is why it didn't show up? Yes I did see it in the list...
natheCirrocumulus
Exactly. Glad ur sorted
- nathe
firstly, that attack signature is a URI one in scope so you won't be able to assign it to a parameter.
Secondly, what I suspect is the signature is enabled and the traffic learning is just identifying that it's been triggered and you can now make an exception if required. In this case you might only be able to disable it on the policy? Or does the learning suggestion mention how to allow this, possible a URL parameter instead?
Do you see the signature in Application Security - Attack Signatures - Attack Signature List? Filter on 200000011.
Hope this helps,
N