Imperva Cyber Community

Hi all,

While the default severity of this violation ThreatRadar - Comment Spam IPs is high, the default action is none instead of block. Any reason behind for this?

Anyone has tried to change the default action to block? Do you experience quite a lot of false positive hit?

Thanks.
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Ken Chau
IT Manager
Central Hong Kong
------------------------------

Hi,

ThratRadar is a very good tool to enrich the logs.
I know from my experience that blocking IP only from IP lists might generate a lot of false positives.
If you want to block traffic using IP from the TR, you can write your own security policies.
Example - When the IP is on the Spam IPs list and is trying login to the application with bad credentials and is doing it more than 5 times in 10 seconds then block it.
I think it is a good way to use the TR IP list to block traffic but when you are using it with additional criteria.

------------------------------
Karol Gruszczyński
IT Security Expert
Trafford IT
Warsaw
------------------------------

Hi Ken,

The Comment Spam IPs service identifies IP addresses of known comment spammers. This signature is created by Imperva ADC using the information SecureSphere customers community share on the Imperva ThreatRadar cloud, below is the link which will give more details on it,
https://docs.imperva.com/bundle/v13.6-web-application-firewall-user-guide/page/9914.htm

To answer your query, you can go ahead and change the action to block, if the protection is required from spam ip address, if any false positive, you can go ahead and add those ip address in the exception list.

Regards,
Syed Noor Fazal.
Product Support Engineer.
Imperva India.

------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------