Imperva Cyber Community

Expand all | Collapse all

Signature mached/not-matched

  • 1.  Signature mached/not-matched

    CHAMPION
    Posted 01-15-2021 05:47
    Hello,

    I created and applied a signature, and was working great. Audit policies were capturing data as expected.
    I noted one specific day, the specific signature was not captured globally, meaning in 3 active Audit Policies.
    Next day it was captured okay, without changes made.

    Any ideas why it may happen?

    Best,
    #DatabaseActivityMonitoring

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------


  • 2.  RE: Signature mached/not-matched

    Imperva Employee
    Posted 01-26-2021 14:20
    Sabajete,
    Is it possible you were exceeding the load on the gateway and these events may not have been processed?

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 3.  RE: Signature mached/not-matched

    Posted 30 days ago
    We have a case where audite will take precedence over the alarm in the case of gateway overload
    Or is the signature match timed out?

    ------------------------------
    CJ Kuo
    Ciphertech
    Taipei
    ------------------------------



  • 4.  RE: Signature mached/not-matched

    Imperva Employee
    Posted 25 days ago
    CJ,
    Without further technical details, it would be difficult to speculate on which function was involved during the overload.  This would require a ticket with support and a logs analysis to determine the specifics.  There are a few different avenues that we protect and prioritize data, depending on when the overload is occurring and why.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 5.  RE: Signature mached/not-matched

    CHAMPION
    Posted 23 days ago
    Hello @Paul Hammons, is it possible one signature can be found in parsed query, but not in query?

    I believe this was the issue because i had changed the signature from match: Query and Parsed Query, to only match:Query.
    Also, it was a gateway overload but the overload happened one day before the missing audit. Is it possible the Gateway can maintain a state when certain signatures are not audited after overload?

    @CJ Kuo i am curious to see how have you implemented for the audit to take precedence over the alarm in the case of gateway overload.
    ​​
    Best,

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------