Manual Chapter :
Writing Custom Attack Signatures
Applies To:
Show Versions
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Writing Custom Attack Signatures
About custom attack signatures
Custom attack signatures
are those that your organization creates and adds to the
attack signature pool. Custom attack signatures must adhere to a specific rule syntax. They are
never updated by F5 Networks. All user-defined signatures are carried forward as-is when the
system is updated to a new software version.You can develop custom attack signatures, if needed, for specific purposes in your environment.
The signatures that you define are stored in the attack signatures pool along with the
system-supplied signatures. You can also export and import custom signatures to and from other Application Security Manager systems.
Developing custom attack signatures is an advanced feature only needed in
specific cases.
Creating a custom
attack signature
Custom attack signatures can handle security
policy enforcement unique to your networking environment, emergency situations, or
analysis of specific activity on the network. If your organization has a need for a
custom attack signature, you can create one using the F5 attack signature syntax.
- On the Main tab, click .The Attack Signature List screen opens.
- ClickCreate.The Create New Attack Signature screen opens.
- In theNamefield, type a unique name for the attack signature.If you attempt to create a customized attack signature with the same name as a system-supplied attack signature, you will receive an error and the attack signature will not be created.
- In theDescriptionfield, type an optional description of the signature.
- For theSignature Typesetting, selectRequestorResponseto determine whether the new signature applies to client requests or server responses.
- For theSystemssetting, select from theAvailable Systemslist any systems to which the new signature applies, and move them to theAssigned Systemslist.
- For theAttack Typesetting, select the type of threat that the new signature protects against.
- For theRulesetting, type a rule according to the syntax guidelines to specify the content of the signature.The rule is the heart of the attack signature. Refer to theSignature OptionsandSignature Syntaxsections for details. Refer toBot signature syntaxfor special limitations when writing bot signatures.
- For theAccuracysetting, select an accuracy level.The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms.
- For theRisksetting, select a risk level.The risk level indicates the level of potential damage this attack may cause, if it were successful.
- ClickCreateto create the new attack signature.
The new attack signature is placed into the attack signature pool and is added to the
signature sets for the systems you specified. The custom signature is put in staging for
all policies that have this signature in their assigned signature sets. It is a good
idea to make sure that the new signature was added to the appropriate security policies.
Attack signature example: Protecting the management interface
This example describes an attack signature that blocks attempts to access the management
interface, which is located at
http://example.com/manage/
. The web server
is IIS, and the signature ignores URL case, treating manage
the same as
MaNAGE
.The following example attack signature examines the URL part (without the query string) and is
not case sensitive. The signature does not need to use a regular expression, because it needs
to match only one pattern (
manage
):
This signature can detect URLs that containuricontent:"/manage/"; nocase; objonly;
/manage/
(the
nocase
modifier causes it to be case insensitive so that it also
catches /mAnage/
, for example). The signature catches, for example:
http://example.com/portal/manage/panel/index.php
.This signature also catches a request that contains:
http://example.com/manage/admin.php
It does not catch:
In the example,http://example.com/admin.php?a=%2Fmanage%2F
%2f
is URL-encoded in place of /
because the
query string part cannot include an explicit forward slash.Attack signature example: Protecting against cross-site scripting
This example describes an attack signature that blocks a cross-site scripting attempt that use
HTML events such as
onmousemove
, onmousedown
,
onmouseup
and other similar events within a parameter. HTML is not case sensitive, so the signature should not distinguish between uppercase and
lowercase. That way, the browser treats the
onMousemOve
event the same
as onmousemove
.This example signature is not case sensitive and looks inside a parameter. The signature also
uses a regular expression for these reasons:
- To support several events in a single signature
- To ignore special characters such as the space (the browser normalizes several spaces into a single space)
- To match a certain pattern:"[event_name] ="(for example, to reduce false positives, so the single wordonmousemoveorblablaonmousemovedoes not match the signature)
The
signature has two parts:
- The constant keyword that matches the wordonmouse(not case sensitive)
- A regular expression that matches several events (separated by a vertical bar |), ignores non-word characters (\W*), and matches a certain pattern (\bfor word boundary and=for[event_name] =pattern)
valuecontent:"onmouse"; nocase; norm; re2:"/\bonmouse(?:move|down|up|out|over|enter|leave|wheel) \\W*=/Vsi"; norm;
The example signature would catch:
After parameterhttp://example.com/index.php?a=onmousedown%3D%22alert(document.cookie)%22
a
is URL-decoded, you can see
onmousedown="alert(document.cookie)"
. The same signature would also
catch requests where this expression is located in the request body, for instance: POST /index.php HTTP/1.1 Host: example.com a=onmousedown%3D%22alert(document.cookie)%22
The example signature would not catch:
since it is located in the URI part of the request, and not in the query string part.http://example.com/onmousedown%3d/
Exporting custom attack signatures
You can export all custom attack signatures from one Application
Security Manager™ system for use on another system. Both systems must be running
the same software version. This is useful if you need to use the same user-defined
attack signatures on multiple systems, or if you want to use a custom signature to
develop another one on a different system.
- On the Main tab, click .The Attack Signature List screen opens.
- ClickExport.The web browser opens a file download screen.
- Save the file in a convenient location.Application Security Manager uses a file name with this format:sigfile_<date>_<time>.xml
The system exports all custom attack signatures to the XML file.
Importing custom attack signatures
Before you can import custom signatures to an Application Security
Manager™ (ASM) system, they must first have been exported from a different
system in XML file format.
You can import custom attack signatures that you want to use from other ASM™ systems. Both systems must be running the same software
version.
- On the Main tab, click .The Attack Signature List screen opens.
- ClickImport.The Import Attack Signatures screen opens.
- In theChoose Filefield, specify the path to the XML file that contains the exported custom attack signature.
- ClickImport.
The system imports the custom signature, and issues either a success message or a
failure message. If the import was not successful, make any required changes to the XML
file, and then try to import the file again. Successfully imported signatures are placed
into the attack signature pool, and added to the signature sets for the systems you
specified.
After the import, the system puts updated signatures into staging for the
Enforcement Readiness Period (specified in Policy properties). Custom signatures are
put into staging for all policies that have this signature in their assigned
signature sets. It is a good idea to make sure that the new signature was added to
the appropriate security policies.
About attack signatures in XML format
The XML file format is the only accepted import format for attack signatures. Following is an
example of the XML format used when saving user-defined attack signatures for import onto another
system.
<?xml version="1.0" encoding="utf-8"?> <signatures export_version="11.X.X"> <sig id="300000000"> <rev num="1"> <sig_name>Unique signature name</sig_name> <rule>msg:"Signature Name"; content:"soda";</rule> <last_update>2011-04-15 13:37:17</last_update> <apply_to>Request</apply_to> <risk>3</risk> <accuracy>2</accuracy> <doc>Any additional descriptive text</doc>f <attack_type>Cross Site Scripting (XSS)</attack_type> <systems> <system_name>IIS</system_name> <system_name>Microsoft Windows</system_name> </systems> </rev> </sig> </signatures>
The
sig_name
attribute uniquely identifies a user-defined
attack signature. Therefore, when you import an attack signature XML file, if there are any
signatures in the XML file whose sig_name
attribute matches that of any existing
user-defined signatures, the system overwrites the existing definition with the imported
definition.
