Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Signature mached/not-matched

    Posted 01-15-2021 05:47
    Hello,

    I created and applied a signature, and was working great. Audit policies were capturing data as expected.
    I noted one specific day, the specific signature was not captured globally, meaning in 3 active Audit Policies.
    Next day it was captured okay, without changes made.

    Any ideas why it may happen?

    Best,
    #DatabaseActivityMonitoring

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------


  • 2.  RE: Signature mached/not-matched

    Posted 01-26-2021 14:20
    Sabajete,
    Is it possible you were exceeding the load on the gateway and these events may not have been processed?

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 3.  RE: Signature mached/not-matched

     
    Posted 01-27-2021 22:06
    Edited by CJ Kuo 01-27-2021 22:07
    We have a case where audite will take precedence over the alarm in the case of gateway overload
    Or is the signature match timed out?

    ------------------------------
    CJ Kuo
    Ciphertech
    Taipei
    ------------------------------



  • 4.  RE: Signature mached/not-matched

    Posted 02-01-2021 13:03
    CJ,
    Without further technical details, it would be difficult to speculate on which function was involved during the overload.  This would require a ticket with support and a logs analysis to determine the specifics.  There are a few different avenues that we protect and prioritize data, depending on when the overload is occurring and why.

    ------------------------------
    Paul Hammons
    Imperva Senior Sales Engineer
    Cape Coral, Florida
    ------------------------------



  • 5.  RE: Signature mached/not-matched

    Posted 02-03-2021 11:42
    Hello @Paul Hammons, is it possible one signature can be found in parsed query, but not in query?

    I believe this was the issue because i had changed the signature from match: Query and Parsed Query, to only match:Query.
    Also, it was a gateway overload but the overload happened one day before the missing audit. Is it possible the Gateway can maintain a state when certain signatures are not audited after overload?

    @CJ Kuo i am curious to see how have you implemented for the audit to take precedence over the alarm in the case of gateway overload.
    ​​
    Best,

    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------