Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.2.0
About custom attack signatures
Attack signatures are rules or patterns that identify attacks on a web application. When Application Security Manager® (ASM) receives a client request (or a server response), the system compares the request or response against the attack signatures associated with the security policy. If a matching pattern is detected, ASM™ triggers an attack-signature-detected violation, and either alarms or blocks the request, based on the enforcement mode of the security policy.
An ideal security policy includes only the attack signatures needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
There are system-supplied signatures and custom (user-defined) signatures.
-
System-supplied signatures enforce policies for best-known attacks. F5
Networks provides:
- Over 2,500 signatures to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications.
- Signatures that include rules of attack that are F5 intellectual property.
- Signatures that you can view but not edit or remove. Also, you cannot view the rules governing these signatures.
- Periodic updates.
-
Custom (user-defined) signatures are created by your organization for
specific purposes in your environment. These signatures:
- Are added to the attack signatures pool where F5 Networks stores them along with the system-supplied signatures.
- Must adhere to a specific rule syntax (like system-supplied signatures).
- Can be combined with system-supplied signatures or system-supplied sets to create custom signature sets.
- Are never updated by F5 Networks, but are carried forward as-is when the system is updated to a new software version.
In BIG-IQ® Web Application Security, you can obtain system-supplied or custom attack signatures through the device discovery process. These signatures are automatically deployed to all policies when the system performs a deployment.
Creating custom attack signatures
About signature staging
When you first activate a security policy, the system places the attack signatures into staging (if staging is enabled for the policy). Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.
Whenever you add or change signatures in assigned sets, those signatures are also placed in staging. You also have the option of placing updated signatures in staging.
About custom attack signature sets
An Attack signature set is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager™ ships with several system-supplied signature sets.
Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies. You can assign additional signature sets to the security policy. Sets are named logically so you can tell which ones to choose. Additionally, you can combine custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.
An ideal security policy includes only the attack signature sets needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
In Web Application Security, you can obtain system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to security policies. Then, you can deploy those policies to BIG-IP® devices.
Add custom attack signature sets
Edit custom attack signature sets
Signatures advanced filter properties
The Signatures Advanced Filter option and properties are only available on the Signatures tab when the signature set type is manual.
Signatures Advanced Filter Property | Description |
---|---|
Signature Type | Specifies what type of signatures to include in the signature set.
|
Signature Scope | Specifies whether the system displays all signatures, or only those that do, or
do not, apply to parameters, cookies, XML documents, JSON data, GWT data, headers, URI
content, and request or response content.
|
Attack Type | Specifies which attack type should be included in the set. Select All to include all attack types. |
Systems | Specifies the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set. |
Accuracy | Specifies the accuracy level of the signature. Higher accuracy results in fewer
false positives.
|
Risk | Specifies the level of potential damage that the signature protects against.
|
User-defined | Specifies whether to include attack signatures based on who created them.
|
Update Date | Specifies whether to include signatures in the set based on when the signature
was last updated or added.
|
Signatures | Specifies the signatures that should be included in the signature set. The available signatures list displayed changes based on the Signatures Advanced Filter settings. You can use the Filter field above the Available list to search for particular signatures. Add signatures to the signature list by moving them from the Available list to the Selected list. |
Assign custom attack signature sets
Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.