Manual Chapter : Updating Attack and Bot Signatures

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Updating Attack and Bot Signatures

Overview: Updating the signature pools

The system includes an attack signature pool and a bot signature pool. These pools include the system-supplied attack signatures and bot signatures, which are shipped with the Application Security Manager, and any user-defined signatures. You can update both pools using the Live Update feature.

F5 develops new signatures to recognize the latest attacks and bots, and you can schedule periodic security updates to the signature pools, or perform manual updates. You can also have the system send you an email when a security update is available.

Updating signatures

Before you can update the signature pools (attack signatures and bot signatures), you must have a valid service agreement with F5 Networks, and a service check date within 7 days of the update request. The Application Security Manager (ASM) must also have external network access for the automatic update process to work.

For additional information regarding licensing requirements, allowing signature file updates through a firewall, and configuring signature file updates through an HTTPS proxy, refer to Solution 8217 in the AskF5 knowledge base (https://support.f5.com/).

You can choose when to update signature pools so that you always have the current security updates. Having an updated set of system-supplied attack signatures and bot signatures provides protection from the latest threats.
Update Description
Disabled You must check for and manually select and install any available updates.
Real Time Updates are installed as they become available.
Scheduled You can specify the times of day and week to install available updates.
  1. On the Main tab, click System > Software Management > Live Update .
    The Live Update screen opens.
  2. Select the signature type from the Updates Configuration list: ASM Attach Signatures or Bot Signatures.
  3. To schedule automatic updates, for Installation of Automatically Downloaded Updates, select your update preference.
  4. Click Save to preserve your changes.
The system connects to the F5 server periodically to see if there are any new signatures or updates to existing attack signatures or bot signatures, and if there are, it downloads and includes them. Any user-defined signatures remain in the pools untouched.

After the update, the system places newly added and updated signatures in staging if they are specified in one or more security policies (for security policies with the staging feature enabled).

ASM records details about each signature update file, including added, modified and deleted entities, and displays this information on the Installation Details window. Select a file to view these details. On AskF5 you can review the Readme file that pertains to the update. AskF5 also contains an article, Managing BIG-IP ASM Live Updates (14.1.x) with more details.

Getting email about signature updates

If you want to receive notification from F5 Networks about signature updates available for download, you can sign up for the Security Updates mailing list.
  1. From a web browser, open the Search the AskF5 Knowledge Base site, http://support.f5.com/.
  2. From the SELF-HELP menu, select Subscribe: Mailing Lists
    The AskF5 Publication Preference Center page opens.
  3. Provide the email address to which you want the notifications sent.
  4. Select the Security Updates list, as well as any others in which you are interested.
  5. Click Submit.
    Whenever F5 has signature updates available, or has information related to security, you will receive an email notification at the address you specified.