ASM; Change of "Ignore Value" param with event description: Fallback to default parameter type
Hello everybody! I have encountered a problem and need help! I have created a policy and activated its "real traffic learning". Through trusted traffic, it recognized some parameters of "Ignore Value" type and some of other types. After 8 days (1 day more than "enforcement readiness period") and before deactivating "real traffic learning" (I had to do that), I edited some of other parameter, and I observed that the policy builder changed all of "Ignore values" parameters to "user input with length of 10" one by one. Description of these events are logged as "Parameter Type was set to User input value. Fallback to default parameter type". could any one help me with: 1- Firstly, why some of parameters got type of "Ignore value"? 2- Why "Ignore values" parameters should be changed in this scenario? And why these changes are made one day after "enforcement readiness period"? How this scenario could be explained? Generally, does policy builder change parameters after "enforcement readiness period"? 3- And, the event description says "... Fallback to default parameter type", Where the type "user input with length of 10" is defined as default? Can I edit this setting of default value? thanks a lot!457Views0likes2CommentsASM Policy Builder..
Hi Everyone, I am setting up and tunning ASM policy for one application. When i generate SQL injection attack on purpose it is detected on ASM, rated as risk 5, listed in Violations but still rated as legal request and not listed under illegal requests. My policy is on comprehensive level, in blocking mode. Same when i try to trigger response on XSS activity. Generally, almost none of risk rated (1-5) requests are blocked and i have put my policy in blocking mode. Less then 1% of suspicious requests are blocked and listed as illegal requests in Event Log. I am little bit confused with this and need some clarification. If i click learn on each false positive and the accept it, will that make policy treat this type of request legal in future or only this request from that IP in that moment? If status is legal for request in event log but there is risk 1 or 2 if i ignore it and don't do anything i can assume production policy will ALLOW this TYPE of request in future, no need to click learn + accept on each false positive? How can i say to policy builder that some request listed as legal is actually illegal and i want it to block, i only see accept button not option for blocking this type of request in future? Sorry for bunch of Qs, first policy of mine... Thank You388Views0likes3Comments