Understanding ignore actions

Details about how data is handled when using ignore actions in policy rules.

Ignore session
The current request and the remainder of the session will be ignored. This action does not log a policy violation, but it stops the logging of constructs and will not test for policy violations of any type for the remainder of the session. This action might be useful if, for example, the database includes a test region, and there is no need to apply policy rules against that region of the database.
Table 1. Ignore session
Data logged or ignored between client and DB Server/S-TAP® Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector

Ignore - SQL commands, SQL errors, Result Sets

Log in/ Log out

Sniffer to S-TAP - One signal to S-TAP to stop sending activity for this session. If additional activity is sent by S-TAP, it is ignored at the sniffer level only.

Ignore SQL commands

Ignore SQL errors

Ignore Result Sets

Ignore – SQL commands, SQL errors, Result Sets.

SQL commands and errors coming from a Span Port or Network TAP are filtered at the Sniffer.

Ignore S-TAP session
The current request and the remainder of the S-TAP session will be ignored. This action is done in combination with specifying in the policy builder menu screen of certain machines, users or applications that are producing a high volume of network traffic. This action is useful in cases where you know the database response from the S-TAP session will be of no interest.
Table 2. Ignore S-TAP session
Data logged or ignored between client and DB Server/S-TAP Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector

Ignore - SQL commands, SQL errors, Result Sets

Log in/ Log out  Sniffer to S-TAP - One signal to S-TAP to stop sending activity for this session. Additional signals to S-TAP to stop sending activity to this session.

 

Not Applicable

If there is a need to ignore traffic from a Span Port/ Network TAP, use Ignore session instead.

Ignore responses per session
Responses for the remainder of the session will be ignored. This action does not log a policy violation, but it stops analyzing responses for the remainder of the session. This action is useful in cases where you know the database response will be of no interest.
Note: For ignore response per session, since the sniffer does not receive any response for the query or it is ignored, then the values for COUNT_FAILED and SUCCESS are whatever the default for the table says they are, in this case COUNT_FAILED=0 and SUCCESS=1.
Table 3. Ignore responses per session
Data logged or ignored between client and DB Server/S-TAP Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector

Log – SQL commands  Ignore - SQL errors, Result Sets

Log in/ Log out  SQL Commands  Sniffer to S-TAP - One signal to S-TAP to stop sending activity for this session. Additional signals to S-TAP to stop sending activity to this session.

Not applicable

This rule action is S-TAP-only implementations.

Ignore SQL per session
No SQL will be logged for the remainder of the session. Exceptions will continue to be logged, but the system may not capture the SQL strings that correspond to the exceptions.
Table 4. Ignore SQL per session
Data logged or ignored between client and DB Server/S-TAP Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector

Ignore - SQL commands

Log - SQL errors, Result Sets

Log in/ Log out

Sniffer to S-TAP - One signal to S-TAP to stop sending activity for this session. If additional activity is sent by S-TAP, it is ignored at the sniffer level only.

SQL commands

SQL errors

Result Sets, if using extrusion rules.

Ignore – SQL commands

Log - SQL errors, Result Sets

SQL commands are filtered at the Sniffer.

Selective Audit Trail
Use a Selective Audit Trail policy to limit the amount of logging on the appliance. This is appropriate when the traffic of interest is a relatively small percentage of the traffic being accepted by the inspection engines, or when all of the traffic you might ever want to report upon can be completely identified.

It is important to note that Ignore Session rules are still very important to include in the policy even if using a Selective Audit Trail. Ignore Session rules decrease the load on a collector considerably because by filtering the information at the S-TAP level, the collector never receives it and does not have to consume resources analyzing traffic that will not ultimately be logged. A Selective Audit Trail policy with no Ignore Session rules would mean that all traffic would be sent from the database server to the collector, causing the collector to analyze every command and result set generated by the database server.

Table 5. Selective Audit Trail
Data logged or ignored between client and DB Server/S-TAP Data sent from DB Server/S-TAP to Collector Data from Span Port/ Network TAP to Collector

Ignore - SQL commands

Log - SQL errors, Result Sets

Log in/ Log out

Ignore SQL commands, except for those defined by Audit-Only or Log Full Details rules.

Log SQL errors

Log Result Sets, if using extrusion rules

Ignore – SQL commands

Log - SQL errors, Result Sets

SQL commands are filtered at the Sniffer.