Bug ID 630278: Top Traffic Learning Violations

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Nov 24, 2016
Severity: 3-Major

Symptoms

In v12.x, ASM unified manual learning and automatic policy building, which also caused significant changes in the GUI. There were only suggestions in Traffic Learning screen (both for manual and automatic mode). There were no more tables of manual traffic learning showing violating requests, ordered by violations or attack signatures.

Impact

In earlier versions, the 'manual traffic learning' feature showed violating requests, ordered by violations, making it possible to learn false positives and improve the policy. It also showed all violations ordered by violations or signature names, instead of the time-based order in the event logs. In later versions, instead of marking those as 'Unknown / Learnable Filetype' or something like 'New Entity Discovered: Filetype XYZ', traffic learning marks those as 'Illegal Filetype/URL <url>', which causes undue concern.

Conditions

When Policy Builder is enabled in ASM.

Workaround

None.

Fix Information

Four triage sections were added to the Traffic Learning screen to speed up the traffic learning process: - Reduce Potential False-positive Alerts: Tables for the Top Violations, Top Matched Attack Signatures and Top Violating Meta-Characters. - Enforcement Readiness. - Add New Entities. - Delete Inactive Entities.

Behavior Change