101 · Question #258
Which of the following violations cannot be learned by Traffic Learning?
The correct answer is A. RFC violations. RFC violations represent absolute failures of the HTTP protocol specification and can never be treated as legitimate traffic, so Traffic Learning cannot learn to permit them.
Question
Which of the following violations cannot be learned by Traffic Learning?
Options
- ARFC violations
- BFile type length violations
- CAttack signature violations
- DMeta character violations on a specific parameter.
How the community answered
(43 responses)- A79% (34)
- B12% (5)
- C2% (1)
- D7% (3)
Why each option
RFC violations represent absolute failures of the HTTP protocol specification and can never be treated as legitimate traffic, so Traffic Learning cannot learn to permit them.
RFC violations indicate that a request fundamentally breaks the HTTP protocol standard - for example, a malformed request line or illegal header format. Because these violations are never valid by definition, Traffic Learning has no mechanism to suggest accepting them; the system is designed to learn legitimate application patterns, and RFC-violating requests fall entirely outside that scope.
File type length violations can be learned because Traffic Learning can observe that a legitimate file type regularly appears with a longer URL and suggest raising the allowed length limit.
Attack signature violations can be learned when Traffic Learning identifies a signature firing as a false positive on a specific parameter and suggests disabling that signature for the affected entity.
Meta character violations on a specific parameter can be learned because Traffic Learning can detect that a parameter legitimately contains special characters and suggest adding those characters to the parameter's allowed meta character set.
Concept tested: BIG-IP ASM Traffic Learning RFC violation exclusion
Source: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations/using-learning-to-build-a-security-policy.html
Topics
Community Discussion
No community discussion yet for this question.