Manual Chapter :
Managing Custom Attack Signatures and Signature Sets
Applies To:
Show VersionsBIG-IQ Centralized Management
- 7.1.0
Managing Custom Attack Signatures and Signature Sets
About custom attack signatures
Attack signatures
are rules or patterns that identify attacks on a web
application. When Application Security Manager® (ASM) receives a client
request (or a server response), the system compares the request or response against the attack
signatures associated with the security policy. If a matching pattern is detected, ASM™ triggers an attack-signature-detected violation, and either alarms or
blocks the request, based on the enforcement mode of the security policy. An ideal security policy includes only the attack signatures needed to defend the
application. If too many are included, you waste resources on keeping up with signatures that
you do not need. On the other hand, if you do not include enough, you might let an attack
compromise your application without knowing it. If you are in doubt about a certain signature
set, it is a good idea to include it in the policy rather than to omit it.
There are system-supplied signatures and custom (user-defined) signatures.
- System-supplied signaturesenforce policies for best-known attacks. F5 Networks provides:
- Over 2,500 signatures to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications.
- Signatures that include rules of attack that are F5 intellectual property.
- Signatures that you can view but not edit or remove. Also, you cannot view the rules governing these signatures.
- Periodic updates.
- Custom (user-defined) signaturesare created by your organization for specific purposes in your environment. These signatures:
- Are added to the attack signatures pool where F5 Networks stores them along with the system-supplied signatures.
- Must adhere to a specific rule syntax (like system-supplied signatures).
- Can be combined with system-supplied signatures or system-supplied sets to create custom signature sets.
- Are never updated by F5 Networks, but are carried forward as-is when the system is updated to a new software version.
In BIG-IQ Web Application Security, you can obtain system-supplied or
custom attack signatures through the device discovery process. These signatures are
automatically deployed to all policies when the system performs a deployment.
Creating custom attack signatures
Custom (user-defined) attack signatures can handle security policy enforcement
unique to your networking environment, emergency situations, or analysis of specific
activity on the network. If your organization needs a custom attack signature, you can
use the BIG-IQ Web Application Security Policy Editor to create
one. You can then assign the new signature to system-supplied or custom attack signature
sets.
- Log in with Administrator, Security Manager, or Web App Security Manager credentials.
- Navigate to the Policy Editor screen: click.
- On the left, clickAttack Signatures.The Attack Signatures screen opens and lists all signatures available to the BIG-IQ system. The system lists the system-supplied (factory) signatures in static black text, and lists any custom signatures in blue text. Blue indicates a hyperlink. System-supplied signatures are locked as indicated by a green padlock icon.Note that you can click anywhere in a row to display the Signature Properties tab and the Documentation tab for the signature.
- At the right of the screen, clickAddand use the Attack Signatures - New Item screen to supply the required information.The screen displays a blank template for signature properties.
- On the Signature properties tab, fill in fields and select options to define the new custom signature:
- In theNamefield, type a unique name.If you attempt to create a custom signature with the same name as a system-supplied signature, you will receive an error message and the system will not create the signature.
- In theDescriptionfield, type an (optional) description.
- From theSignature Typelist, select what the signature should examine:
- Request. Use this signature to examine requests only.
- Response. Use this signature to examine responses only.
- ForAttack Type, select the threat classification.
- Select theSystemsthat you want protected by the signature: use the Move button to shift your choices from theAvailablelist to theEnabledlist.
- For theRulesetting, type a rule, according to the syntax guidelines, to specify the content of the signature.The rule is the heart of the attack signature. All attack signatures must adhere to the F5 attack signature syntax. Refer to the BIG-IP system documentation on signature options and signature syntax for details.
- ForAccuracy, select the level that you want for the signature.The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms. Higher accuracy results in fewer false positives.
- ForRisk, select the level of potential damage this attack might cause, if it were successful.
- Lowindicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
- Mediumindicates the attack may reveal sensitive data, or cause moderate damage.
- Highindicates the attack may cause a full system compromise, denial of service, and the like.
- TheUser-definedfield specifies whether the screen displays signatures based on who created them. Currently, it defaults toYes, indicating that the signature was created by a user. You cannot change the setting.
- When you are finished, clickSaveto save the new custom attack signature.ClickingSave and Closeprompts the system to return to the Attack Signatures screen.Custom signatures appear in blue and are hyperlinks to an edit screen. Click anywhere on the row except the link to display Signature Properties at the bottom of the screen.
The system places the new custom attack signature into the attack signature pool,
and adds it to the signature sets for the systems you specified. The custom signature is
put in staging for all policies that have this signature in their assigned signature
sets. It is a good idea to make sure that the system added the new signature to the
appropriate security policies.
About signature staging
When you first activate a security policy, the system places the attack signatures into
staging (if staging is enabled for the policy).
Staging
means that the system
applies the attack signatures to the web application traffic, but does not apply the blocking
policy action to requests that trigger those attack signatures. The default staging period is
seven days. Whenever you add or change signatures in assigned sets, those signatures are also placed in
staging. You also have the option of placing updated signatures in staging.
Placing new and updated attack signatures in staging helps to reduce the number of violations
triggered by false-positive matches. When signatures match attack patterns during the staging
period, the system generates learning suggestions. If you see that an attack signature
violation has occurred, you can view and evaluate these attack signatures. After evaluation,
if the signature is a false-positive, you can disable the signature, and the system no longer
applies that signature to traffic for the corresponding web application. Alternately, if the
detected signature match is legitimate, you can enable the corresponding attack signature.
Enabling the signature removes it from staging, and puts the blocking policy into
effect.
About custom attack signature sets
An
Attack signature set
is a group of attack signatures. Rather than applying
individual attack signatures to a security policy, you can apply one or more attack signature
sets. The Application Security Manager™ ships with several system-supplied
signature sets. Each security policy has its own attack signature set assignments. By default, a generic
signature set is assigned to new security policies. You can assign additional signature sets
to the security policy. Sets are named logically so you can tell which ones to choose.
Additionally, you can combine custom attack signatures with system-supplied signatures or
system-supplied sets to create custom signature sets.
An ideal security policy includes only the attack signature sets needed to defend the
application. If too many are included, you waste resources on keeping up with signatures that
you do not need. On the other hand, if you do not include enough, you might let an attack
compromise your application without knowing it. If you are in doubt about a certain signature
set, it is a good idea to include it in the policy rather than to omit it.
In Web Application Security, you can obtain system-supplied or custom attack signature sets
through the device discovery process. You can assign these sets to security policies. Then,
you can deploy those policies to BIG-IP devices.
Add custom attack signature sets
You can use the Web Application
Security policy editor to add custom (user-defined) attack signature sets. Like
system-supplied signature sets,
custom signature sets
contain signatures
from the signature pool. Once you create a custom signature set, you can apply it to the
security policy to protect web applications against known attacks. - Log in with Administrator, Security Manager, or Web App Security Manager credentials.
- At the top left of the screen, selectWeb Application Securityfrom the BIG-IQ menu.The Web Application Security Policy Editor screen opens.
- On the left, clickSIGNATURE SETS.The default, system-supplied signature sets are displayed on the Signature Sets screen, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
- ClickAddand use the Signature Sets - New Item screen to supply the required information.
- On the Properties tab, type a unique name for the signature set.
- From theTypelist, select how to create the signature set.
- SelectFilter-basedto create a signature set by using a filter only.
- SelectManualto manually assign signatures to a signature set.
SelectingManualcauses the Signatures Filter tab to be hidden, since it will not be used, and changes the fields displayed on the Signatures tab.You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update. - ForDefault Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.TheLearn,Alarm, andBlockactions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
- If you want the system to automatically include this set in any newly-created security policies, enable theAssign to Policy by Defaultsetting.
- Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set. This tab is only displayed when the signature set type is set toFilter-based.
- Select aSignature Typeto include the type of signatures the system displays.
- Alltraffic is the default.
- Requestonly. Signatures that are configured to inspect the client request.
- Responseonly. Signatures that are configured to inspect the server response.
- From theAttack Typelist, specify the threat classifications for which to include signatures in the set.
- SelectAllfor signatures with all Attack Type values, which is the default.
- Select an attack type for signatures configured to protect against that specific attack type.
- From theSystemslists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
- From theAccuracylist, select the accuracy association.
- Allspecifies signatures that match all accuracy levels, which is the default.
- Equalsspecifies signatures whose accuracy levels exactly match the accuracy level you set.
- Greater Than/Equal Tospecifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
- Less Than/Equal Tospecifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
- From the resulting list, select the accuracy level.
- Lowindicates a high likelihood of false positives.
- Mediumindicates some likelihood of false positives.
- Highindicates a low likelihood of false positives.
- From theRisklist, select the risk association.
- Allspecifies signatures that protect against attacks of all risk levels, which is the default.
- Equalsspecifies signatures whose risk levels exactly match the risk level you set.
- Greater Than/Equal Tospecifies signatures whose risk levels are higher than, or the same as, the risk level you set.
- Less Than/Equal Tospecifies signatures whose risk levels are lower than, or the same as, the risk level you set.
- From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
- Lowindicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
- Mediumindicates the attack may reveal sensitive data, or cause moderate damage.
- Highindicates the attack may cause a full system compromise, denial of service, and the like.
- ForUser-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
- ForUpdate Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).If specifyingBeforeorAfter, use the calendar icon to specify a date.
- Click the Signatures tab.The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whetherTypeon the Properties tab is set toFilter-basedorManual.
- If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
- If the signature set is user-defined andTypeis set toFilter-based, the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
- If the signature set is user-defined andTypeis set toManual, the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, clickSignatures Advanced Filterat the top of the Signatures tab to filter the signatures shown.
- In the Included Policies tab, view the policies (if any) that enforce this signature set.Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
- When you are finished, clickSaveto save the new custom attack signature set.ClickingSave and Closeprompts the system to return to the Signature Sets screen and display the new set.Sets are listed in alphabetical order; custom sets appear in blue.
The new signature set is added to the
list of signature sets that are available on the system, and is available to be applied
when creating new security policies. If, in the future, you no longer need a custom
signature set, you can delete it. Note that when you delete a custom signature set, you
are deleting the set; you are not deleting the signatures that made up the set.
Edit custom attack signature sets
You can use the Web Application
Security policy editor to edit custom attack signature sets. Once you edit a custom
signature set, you can apply it to the security policy to protect your web applications
in ways that are unique to your needs.
- Log in with Administrator, Security Manager, or Web App Security Manager credentials.
- At the top left of the screen, selectWeb Application Securityfrom the BIG-IQ menu.The Web Application Security Policy Editor screen opens.
- On the left, clickSignature Sets.The system displays the default, system-supplied signature sets, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
- Click the name of the signature set that you want to change and use the Signature Sets screen to modify the settings.
- On the Properties tab, revise the settings for this custom attack signature set, as needed.Note thatNameandCategoryare not editable fields.
- From theTypelist, you can modify how to create the signature set.
- SelectFilter-basedto create a signature set by using a filter only.
- SelectManualto manually assign signatures to a signature set.
SelectingManualcauses the Signatures Filter tab to be hidden since it will not be used, and changes the fields displayed on the Signatures tab.You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update. - ForDefault Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.TheLearn,Alarm, andBlockactions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
- If you want the system to automatically include this set in any newly-created security policies, enable theAssign to Policy by Defaultsetting.
- Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set.This tab is only displayed when the signature set type is set toFilter-based.
- Select aSignature Typeto include the type of signatures the system displays.
- Alltraffic is the default.
- Requestsonly. Include signatures that are configured to inspect the client request.
- Responsesonly. Include signatures that are configured to inspect the server response.
- From theAttack Typelist, specify the threat classifications for which to include signatures in the set.
- SelectAllfor signatures with all Attack Type values, which is the default.
- Select an attack type for signatures configured to protect against that specific attack type.
- From theSystemslists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
- From theAccuracylist, select the accuracy association.
- Allspecifies signatures that match all accuracy levels, which is the default.
- Equalsspecifies signatures whose accuracy levels exactly match the accuracy level you set.
- Greater Than/Equal Tospecifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
- Less Than/Equal Tospecifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
- From the resulting list, select the accuracy level.
- Lowindicates a high likelihood of false positives.
- Mediumindicates some likelihood of false positives.
- Highindicates a low likelihood of false positives.
- From theRisklist, select the risk association.
- Allspecifies signatures that protect against attacks of all risk levels, which is the default.
- Equalsspecifies signatures whose risk levels exactly match the risk level you set.
- Greater Than/Equal Tospecifies signatures whose risk levels are higher than, or the same as, the risk level you set.
- Less Than/Equal Tospecifies signatures whose risk levels are lower than, or the same as, the risk level you set.
- From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
- Lowindicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
- Mediumindicates the attack may reveal sensitive data, or cause moderate damage.
- Highindicates the attack may cause a full system compromise, denial of service, and the like.
- ForUser-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
- ForUpdate Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).If specifyingBeforeorAfter, use the calendar icon to specify a date.
- Click the Signatures tab.The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whetherTypeon the Properties tab is set toFilter-basedorManual.
- If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
- If the signature set is user-defined andTypeis set toFilter-based, the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
- If the signature set is user-defined andTypeis set toManual, the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, clickSignatures Advanced Filterat the top of the Signatures tab to filter the signatures shown.
- Click the Included Policies tab, and view the policies (if any) that enforce this signature set.Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
- When you are finished, clickSaveto save the new custom attack signature set.ClickingSave and Closeprompts the system to return to the Signature Sets screen and display the new set.The system lists sets in alphabetical order, custom sets appear in blue
The edited signature set is available
for application when creating new security policies. If, in the future, you no longer
need a custom signature set, you can delete it. Note that when you delete a custom
signature set, you are deleting the set; you are not deleting the signatures that made
up the set.
Signatures advanced filter
properties
The
Signatures Advanced Filter
option and properties are only
available on the Signatures tab when the signature set type is manual.Signatures Advanced Filter Property | Description |
---|---|
Signature Type | Specifies what type of signatures to include in the signature set.
|
Signature Scope | Specifies whether the system displays all signatures, or only those that do, or
do not, apply to parameters, cookies, XML documents, JSON data, GWT data, headers, URI
content, and request or response content.
|
Attack Type | Specifies which attack type should be included in the set. Select
All to include all attack types. |
Systems | Specifies the systems (for example web applications, web server databases, and
application frameworks) that you want protected by the set. |
Accuracy | Specifies the accuracy level of the signature. Higher accuracy results in fewer
false positives.
|
Risk | Specifies the level of potential damage that the signature protects against.
|
User-defined | Specifies whether to include attack signatures based on who created them.
|
Update Date | Specifies whether to include signatures in the set based on when the signature
was last updated or added.
|
Signatures | Specifies the signatures that should be included in the signature set. The
available signatures list displayed changes based on the Signatures
Advanced Filter settings. You can use the Filter
field above the Available list to search for particular signatures. Add signatures to
the signature list by moving them from the Available list to the Selected
list. |
Assign custom attack signature
sets
You use the Web Application
Security policy editor to assign a custom attack signature set to a policy.
Each
security policy enforces one or more attack signature sets. You can assign
additional attack signature sets to the security policy.
- Log in with Administrator, Security Manager, or Web App Security Manager credentials.
- Navigate to the Policy Editor screen: click, select a policy name, and from thePolicy objectslist, selectAttack Signatures Configuration.
- ClickEdit.The policy is placed under administrative lock and fields become editable.
- From theAttack Signature Set Assignmentlist, select attack signature sets to assign to the policy.Any newly-created custom signature sets appear in the list.
- When you are finished, clickSaveto save the new assignment and unlock the policy.
The system assigns the signature sets
to the security policy, and the blocking policy applies to all of the signatures in the
signature set. Any changes made subsequently are put into effect in the working
configuration of the BIG-IQ Centralized Management system.