Follow

Q&A: Can I still see violations (alerts) for an attack signature when it's disabled in a WAF policy?

Question

Can I still see violations (alerts) for an attack signature when it's disabled in a WAF policy?

Environment

  • Silverline WAF
  • Proxy / Proxies
  • Attack Signature 

Answer

Individual attack signatures can be enabled or disabled only.

  • If disabled, the signature does not cause a violation, even if patterns match the traffic.
  • If enabled, and the traffic matches the pattern in the signature, an Attack Signature Detected violation occurs, and traffic is handled in accordance with the WAF policy blocking settings.
  • It is not possible to disable an attack signature in a WAF policy that is in blocking mode and configure it to alert only.

 

Attack signatures are also grouped into sets to identify classes of attacks or the system running protected application.

  • The Silverline SOC has the ability to disable or enable signature sets, based on attack types that they belong to.
  • The action for a signature set can be set to either alert only or block, meaning that even if the policy enforcement mode was blocking, we can still disable a given set of signatures and configure it to alert only.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request