I've been testing a new server and just noticed that if I manually remove an IP from the Blacklist after having intentionally triggered the WAF, it won't flag the incident from the same IP when I try it again.
So far I've tried this from two different hosts. Once manually removed from Blacklist, ASL will not block the IP again. The same offence, if I try from a completely new IP, it records and blocks it immediately.
Is this by design or a flaw?
ASL version: 4.0.16-21
Webserver: Apache 2.4
DB: MariaDB 10.1.9
OS: CentOS 7.1
Edit: Please disregard. I feel like an idiot. I have Varnish running on port 80 so after the first attempt every other attempt was served by Varnish instead of going to the backend (Apache / ASL). I only discovered this when I, by chance, cleared varnish this morning to test things a second time around.
Sorry guys.